Using all the data at our fingertips is vital to the success of a hospitality business in the current digital landscape, but it’s time to be aware that harnessing these technologies comes with the added risk of cyberattack. Research by Trustwave and shared by ITbrief.com.au states “nearly 31% of hospitality organisations have reported a data breach in their company’s history”, while “the impact on reputation can cause significant harm to the bottom line.”
With cyber-attacks affecting giants including InterContinental and Hilton, it’s time for hospitality to take cybersecurity seriously.
Building a cybersecurity culture and educating your team
“We take cybersecurity very seriously,” says Jeremy Courmadias, CEO of Fink, whose restaurants include internationally recognised Quay, Bennelong at Sydney Opera House and Firedoor.
“Gone are the days where you opened the door, turned on the stove and took orders with a notepad,” he tells InSeason. “Every part of the dining experience now can be integrated in some way with technology. From reservation systems to payroll.” Embracing these technologies to make dining experiences world-class, means that the data used needs to be well-guarded.
“What we look for in the technologies is that those platforms embrace the security component,” he says, pointing out that the cybersecurity protocols of any platforms they bring online are a key reason they choose or reject the technology.
“There are two things. One, how do they integrate with the other systems that you already use, and two, what levels of security do they have in place. Because we don’t hold a lot of that control ourselves, so we need to ensure – for the safety and security of our staff and guests – that those partners are taking it as seriously as we are.”
Courmadias advises that this goes right down to the kind of email address you are using, because something this simple is often a weak point.
“For a lot of the big technologies – like SevenRooms for example – they’re whole reputation is hedged on the security of their system. And yet, while we hear about scam emails every day, you rarely hear about the email providers being held accountable.”
While Courmadias acknowledges that you can’t control the individual clicking on a scam email, you can put protocols in place to help minimise the risks, and there are checks and filters that email providers should help to put in place too.
“You have to educate your staff, to ensure everyone knows what a scam email looks like,” he says, adding that this includes being clear about things you would never ask team members via email, and encouraging staff to verify requests in person.
“It comes down to how you are inducting staff and introducing them to the systems – no matter the [staff] turnover – and building a culture right from the day they begin. It even starts with the recruitment process and how they receive their contract.”
Multi-factor authentication and complex passwords
For a large operation like Fink, they work with IT experts, Flipside IT, to manage their cybersecurity. While Courmadias acknowledges that outsourcing is expensive, he sees it as a necessary cost that provides access to dedicated skillsets.
At Flipside IT, Managing Director, Peter Lloyd, advises that plenty of industries aren’t taking cybersecurity seriously.
“It’s one of those things that’s just not important, until it is important,” he says. But he highlights there are some very simple starting points that can be actioned in-house.
“Things that most people can do to lower their risk somewhere in the vicinity of 50 per cent.”
Lloyd has three areas that he believes can be instantly improved.
Firstly; “Every system you deal with should have multi-factor authentication, not just your email, but payroll and any third-party system you’re interacting with. If it doesn’t, it’s probably not worth the paper it’s written on. That’s a very basic thing you can do.”
Secondly; “Ensuring you use complex passwords, again, is a basic thing that most people can do.”
Thirdly; “I highly recommend a stringent accounting protocol. A lot of these attacks are about money and payments. So, it’s education around accounting protocols like changes to bank account details.
After this, he suggests that an IT partner can take your cybersecurity to the next level. “They can prepare a plan of action, because it’s not a case of whether something will happen, it’s a case of when something happens how you will respond to that.”
Updating passwords, protocols and access
Nathan Merton of Critical Dramage agrees that an action plan is essential. With a background of 15 years in IT, he also spent three years working from the ground up as part of the Swillhouse’s Baxter Inn team, giving him perspective from both sides of the bar – so to speak – as a hospitality staffer and as an IT professional. He now consults to hospitality businesses.
For Merton, assessment of cybersecurity identifies all the data touch points and associated risks.
“Your finances are the most important starting point,” says Merton. “Understand who has access, and frequently review that.”
In addition to Lloyd’s complex passwords, Merton suggests that regularly changing passwords is part of the process, along with auditing who has access to your social media, particularly with high staff turnover.
The parting advice from all the experts is that once you’ve tackled in-house protocol you cannot assume that it’s a one-and-done solution.
“With hospitality there’re a lot of moving parts,” says Lloyd. “You can’t just say ‘we fixed it last year, let’s move on’. It’s dynamic and evolving, so you need to keep reviewing it.”