Editor’s note: This is the second in a four-part series titled “Hotel resolutions for 2012.” The third installment, “5 resolutions for hotel operators in 2012,” will be published Thursday, 5 January.
GLOBAL REPORT—Anticipating risk in the hotel security field is an imprecise art—one that’s grown increasingly difficult with the introduction of new technologies, regulations and global threats. But when asked for the areas of top concern for 2012, the usual suspects still top the list: information-technology breaches and terrorism, hoteliers said.
Yet, the reasons each appears on hoteliers’ to-do lists are changing. IT professionals now face new challenges brought on by the prolific use of cloud technologies and mobile devices.
Even though hotel security professionals and government agencies have quelled fears so successfully that travelers are less sensitive to potential threats, anti-terrorism efforts still face an emerging risk from complacency.
Benchmark Hospitality Group
The result is a field that requires more focus than ever before, said Darrin Pinkham, VP of information technology for The Woodlands, Texas-based Benchmark Hospitality Group, which manages 26 properties throughout the United States.
“Security is getting harder and harder. We’re spending more and more money on it, and that’s at every level,” he said.
Hoteliers interviewed for this report recommended focusing on the following five areas during 2012:
The hot-button issue within the realm of hotel-information technology is mobile and cloud technology.
“In general most mobile devices that are used for business remain unprotected, including lack of any password, let alone a complex password,” said Anthony Roman, founder and CEO of Lynbrook, New York-based hotel security company Roman & Associates. “Rarely do we find that any business using smart mobile technology has any encryption on it whatsoever. Even less than that do we find that there are written policies and procedures relative to the securing and protection of mobile devices, technology and the information continued within them.”
Amplifying the problem is the sheer number of devices, he added. A company could have tens of thousands of smartphones or laptops in the field at any given point—each a potential gateway to hackers and other criminals.
A good place to start to shore up those gaps in protection is with the Payment Card Industry’s Data Security Standard, which includes 12 “biblical” principles critical for any hotelier, Pinkham said. Though PCI DSS focuses specifically on the way hotels collect and store payment information, its requirements—which are getting stricter—will help shield hoteliers against other breaches as well.
Pinkham also recommended resources from Hospitality Financial and Technology Professionals and Hotel Technology Next Generation.
But IT protection goes beyond PCI DSS. Data security protection must include end-to-end management that takes a more comprehensive approach, said Ulf Mattsson, chief technology officer for Protegrity, a Stamford, Connecticut-based data security provider.
“We need to think more than compliance. We need to look at cost and benefit and how it’s supports the business,” he said. “The core principle is to provide end-to-end data protection so you are not just patching.”
Tokenization, which replaces sensitive data with an arbitrary value, is one such end-to-end solution, he said.
HotelManagement Ad Will Appear Here
Ironically, one of the main reasons terrorism tops the list is because it has become less of an issue in recent years, sources said.
“It makes it a little bit harder to get things done because people are like, ‘Terrorism? That’s 10 years ago,’” said Chad Callaghan, security consultant for the America Hotel & Lodging Association.
Stressing diligence requires a delicate touch, however, Callaghan said. Hoteliers need to keep their staffs and travelers mindful of possible threats, but they don’t want to scare them.
Roman is a strong proponent of integrated risk management, “a concept in which all hotel business management departments including the executive level integrate with each other to assess corporate wide risk, from IT, to security, to business,” to combat terrorism and other security threats.
Roman & Associates
The process requires constant communication and the sharing of best practices, often through appropriate software and IT software, he said.
Callaghan and the AH&LA are taking a more industry-wide approach, stressing diligence from the executive level downward.
The association also supports education among travelers. During November, it revived its “If You See Something, Say Something” campaign along with the Department of Homeland Security.
“Don’t assume that you don’t need to continue to fund your security effort at your hotel,” Callaghan said. “And also initiatives like the ‘see something, say something’ campaign become very important as well.”
A related threat is that of “skimmers,” or devices that catch credit card numbers when consumers use them for payment. The problem primarily is contained to the restaurant industry, but Callaghan is concerned it could spread to hotels.
“It’s not an easy thing to stop,” he said. “You have to go investigate. You have to be aware of complaints about a particular outlet. Once you have that, you can back into it and find out who the workers on duty were at that point.”
Skimmers typically require an “inside man” or worker who swipes a credit card through a device before processing the payment. These are usually not hardened criminals, Callaghan said; they’re just “opportunists.”
The best prevention measure is to have an investigative team or third party on hand and making that known to employees, he said.
“If you have the capability of having an investigations team or using a third party, having people aware that this is something available and out there … just the fact that people know that you have the capability to do that will keep honest people honest,” he said.
4. Liability and insurance fraud
These two related issues can double, triple, quadruple and quintuple corporate insurance premiums in the blink of an eye, Roman said.
“The greatest business risk, as I see it … is insurance fraud. And it’s the most expensive,” he said.
It can include claims as small as a guest seeking a free room for stubbing his toe in the shower to extreme cases involving prolonged entanglements with worker’s compensation, Roman said.
“Liability” as a general label refers to hoteliers being held liable for the acts, which are often criminal, of third parties, the AH&LA’s Callaghan said.
A recent high-profile example involves ESPN reporter Erin Andrews, whose privacy was violated when a stalker filmed her changing in her guestroom through a peephole. Andrews in December filed a US$10-million lawsuit against a Marriott hotel in Nashville and the convicted stalker.
Whether frivolous or not, such cases are costly because they have to be defended and often settled, Callaghan said. “I don’t see that abating at all.”
He advised hoteliers to educate themselves on the issue, consulting with an attorney, if necessary.
“Sometimes hotel operators live in a little bit of a fantasy world when it comes to liability,” Callaghan said.
5. Security as taboo
“Security” still is something of a taboo in the global hotel industry, said Paul Moxness VP for corporate safety and security at The Rezidor Hotel Group, a Brussels-based hotel management company, with more than 400 hotels and nearly 90,000 rooms in its portfolio.
Not only is it a topic that might give some guests the jitters, but it’s one many hoteliers fear is akin to Pandora’s box—once it’s opened, all the problems will be released. The truth is just the opposite, Moxness said. If security becomes a permanent and prominent part of day-to-day operations, it’s more likely hoteliers will be better able to address it.
“It’s like a little kid that can’t sleep because there’s a tiger in his closet or a lion under his bed, but if you turn the light on, you’ll find that it’s not there,” he said.
Hoteliers need to do a better job of “turning on the light” by talking about security openly and regularly at staff and association meetings, Moxness said. Hotel executives should insist their GMs make security a priority.
“It has to be from the top down,” he said.