Any industry that holds a wealth of personal and financial information on its customers is a prime target for cyber crooks.
Hospitality is the industry with the second highest number of cyber security breaches after the retail sector, with the majority of the industry's prominent hotels having suffered a breach.
These are two of the key findings of the PwC Hotels Outlook report, 2018-2022.
"The last two years have been particularly worrisome for the hotel industry, with a number of high-profile breaches taking place and if we look at this trend, it is not going to get better," says Kris Budnik, cyber lead for PwC Africa.
He says PwC's latest Privacy and Security Enforcement Tracker shows that regulators are coming down harder on businesses that fall victim to a breach, which is illustrated by the 'significant increase' in the number of financial penalties imposed on organisations that have not adequately protected their data.
In addition, he says government efforts to curb the threat of data breaches inevitably lead to more regulation.
"The legal and regulatory issues are just one aspect of the consequences of the poor implementation of cyber security and privacy. Businesses need to think about trust, confidence and brand health as well as reputation."
GDPR
The introduction of EU's General Data Protection Regulation (GDPR), says Budnik, has fundamentally changed our perceptions of how personal data should be handled in business. The GDPR will have a global effect as businesses offering goods and services to EU residents fall within its broad territorial scope.
He says SA's Protection of Personal Information Act (PoPI) is expected to come into force within the next year, giving organisations a year to comply, and in the meantime, the Regulator is actively responding to privacy complaints and asking businesses to investigate and remediate.
Under the GDPR, regulators are allowed to impose fines on companies of up to 4% of group annual worldwide turnover and up to R10 million under POPIA per breach. In addition, both pieces of legislation enable individuals to pursue civil liability claims for the misuse or breach of their personal information.
"The litigation risk alone warrants the attention of the C-suite. It is essential that executives understand where to look for the biggest exposures and how to correct their approach to cyber and data security."
Digitisation
According to PwC's 2018 Global State of Information Security Survey (GSISS), which surveyed 9 500 executives in 122 countries, 59% of leaders say digitisation has increased information security spending, as they anticipate cyber-attacks against their automation and use of artificial intelligence.
The survey also revealed that the top sources of security breaches were current employees (30%), former employees (27%), and unknown hackers (23%). Those surveyed said the main attacks saw customer and employee records being compromised, as well as the loss of internal records.
Budnik says while the collecting and processing of personal data is used by businesses to streamline and improve the customer experience, ironically, it is increasing the attack surface for criminals and internal employees, who may be fraudsters. "What should be an exercise in improving customer trust and loyalty ultimately becomes an exercise in increased reputational and bottom-line risk."
Hospitality organisations should take a holistic view of the value chain, from how guests place bookings, check-in interaction with facilities, checkout, recommend and everything that happens in-between (such as records management, technology and surveillance) to identify key cyber security and privacy exposures and how these will be addressed.
He says to develop an effective security and compliance strategy, businesses must understand their special characteristics and the needs of their stakeholders. "As awareness grows, we are rapidly approaching a tipping point when organisations realise they have no choice. They have to do much more to tackle the cyber security and privacy risks they face and live up to the expectations that society places in them."
Share