In an ever-more digital world, the hospitality and leisure industries are flourishing by embracing technology to enhance customer experiences and streamline operations. However, rapid technological advances also introduce a worsening risk landscape, as the industry faces a slew of cybersecurity challenges.

From hotels and restaurants to travel agencies and entertainment venues, businesses operating within these sectors are confronted with a range of vulnerabilities that can expose them to data breaches, ransomware attacks, and other cybersecurity threats.

Following the money

The hospitality and leisure industries are particularly vulnerable to cybersecurity threats due to their heavy reliance on digital systems for reservations, guest data management, and payment processing. One significant challenge is the vast amount of sensitive customer information that these businesses collect, including personal details, credit card information, and travel itineraries. This makes them an attractive target for cybercriminals seeking to exploit these data repositories. 

Hotel chains, for instance, often maintain large databases of customer data, making them prime targets for data breaches. Cybercriminals can use this stolen information for various malicious purposes, including identity theft and financial fraud.  According to Verizon's 2023 Data Breach report, financial gain is the only motivation for data breaches in the hospitality and accommodation space due to the sheer number of point-of-sale services and user financial information available.

Supply chain attack surface

"An organizations’ attack surface spans beyond just the technology that they own or control..." ~Aleksandr Yampolskiy, CEO of SecurityScorecard

The interconnected nature of each industry's supply chain adds another layer of complexity to its cybersecurity landscape. Third-party vendors, such as reservation platforms, payment processors, and online travel agencies, all play crucial roles in these industries' operations. However, their vulnerabilities can also become entry points for cyber-attacks. The 2023 report by the Cyentia Institute and SecurityScorecard stated that 98 percent of organizations have vendor relationships with at least one third-party that has experienced a breach in the last two years.  Furthermore, the same study showed that for every third-party vendor an organization may be indirectly tied to 60 to 90 times that number by fourth-party relationships.  

When compared to the company's security itself, these third-party vendors are five times more likely to exhibit an immature and poor security model.  A breach in any of these interconnected systems can potentially cascade through the entire network, affecting multiple businesses along the way.

The bigger they are, the larger the impact 

Despite having greater resources, large businesses within the hospitality and leisure industries are not immune to these abundant cybersecurity challenges. In fact, their scale and complexity can sometimes amplify these challenges. While larger enterprises may have sufficient capital at their disposal to invest in cybersecurity, their expansive networks and multiple points of entry can provide cybercriminals with more avenues for attack. This is particularly true for multinational hotel chains, cruise lines, and theme park conglomerates that operate across diverse geographical locations, each with its own set of regulations and potential vulnerabilities.

These large businesses may also face challenges in terms of coordinating cybersecurity efforts across various departments and branches. The sheer size of their operations can lead to fragmented security strategies, making it easier for cybercriminals to exploit gaps in defenses. Moreover, the higher volume of sensitive data stored and processed by these entities increases the potential impact of a breach. A successful attack on a large hotel chain, for instance, could compromise the personal information of thousands or even millions of guests, resulting in severe reputational damage and potential legal consequences.

What's next?

Only through a concerted effort to fortify digital defenses can the hospitality and leisure industries ensure the safety of both their operations and the valuable customer information they handle. There are several initial steps that can be taken to mitigate security risks:

  • Scrutiny of cybersecurity obligations set forth in contractual agreements between third-party vendors and your company, with cybersecurity vendor assessments conducted prior to engagement.
  • Continuous training for employees to enforce a strong understanding of phishing and social engineering tactics and how to avoid them.
  • Routine internal and external cybersecurity diagnostic assessments to verify governance risk and compliance (GRC) capabilities, incident response plans,, and cybersecurity program maturity are at peak performance, as well as maintaining a cost-efficient cybersecurity and IT program.

The AlixPartners Cybersecurity Practice is heavily aligned with the hospitality and leisure industries, with our finger on the pulse of current events.  From supply chain risk assessments to vulnerability assessments of your externally facing assets, our team of experts is here to assist you in verifying if your cybersecurity maturity meets the respective industry's standards and its readiness for the challenging cybersecurity road ahead.