Luke Irwin, Copywriter at GRC International Group Plc and a finalist in the Cyber Writer category in the Security Serious Unsung Heroes Awards 2019.
The hospitality sector has been clamouring for technological innovation recently, with organisations eager to find novel ways to improve the customer experience.
You might have heard about Connie, a Watson-enabled robot concierge that’s been introduced at the Hilton in McLean, Virginia. But that’s just one example of cutting-edge technology sweeping the hotel industry, with many organisations leveraging IoT (Internet of Things) and other ‘smart’ tech to give customers a taste of the future.
However, there’s a growing perception that all this gadgetry is a distraction from the fundamentals of the hotel business: ensuring that guests’ privacy is intact and their information is secure.
Focus on security
Security and privacy are huge issues. Data breaches hit the headlines practically every day, and privacy concerns, such as those at Facebook and Amazon, have caused customers to turn away from services or at least take a keener interest in the way organisations use their information.
It therefore makes sense that organisations plough whatever resources they have into addressing these concerns. This is particularly true for the hotel industry, which is one of the worst-affected by cyber crime and data breaches.
Crooks target hotels because they store large volumes of data, including names, addresses and payment information, and process the majority of transactions through POS (point-of-sale) machines, which are susceptible to malware.
Marriott’s 2018 data breach, which affected 383 million customers, was the latest in a long line of high-profile hotel breaches, following incidents at Radisson, Huazhu, Hilton and Hyatt.
Meanwhile, researchers at Symantec recently found that two out of every three hotel websites inadvertently leak guest information to third parties, giving unauthorised personnel the power to view, change or cancel bookings.
The study, which polled 1,500 hotels in 54 countries, also discovered that 67% of the hotels’ websites leaked booking reference codes and other information to advertising networks and analytics companies.
Additionally, some hotels leaked passport numbers and financial details, including the last four digits of payment cards, card types and expiration dates.
Symantec also reported several other alarming security lapses. For example, 29% of hotels didn’t encrypt initial links containing booking IDs and references to customers, which could enable crooks to eavesdrop and steal these details.
The researchers concluded that many of the hotels “have been slow to acknowledge, much less address” this risk, with 25% of the hotels’ privacy officers failing to respond to Symantec’s findings within six weeks.
Balancing security and experience
If you asked guests whether they’d rather hotels protected their personal information or gave them smart tech, we doubt there’d be much of a debate. But that’s a moot point, because there’s no reason why hotels can’t provide both. They just need to find the right balance.
Part of the issue relates to budget. Security technology is, in most cases, cheaper and simpler to implement than cutting-edge technology. ISO 27001, the international standard for information security management, and guidance related to the GDPR (General Data Protection Regulation), give straightforward instructions on how to achieve effective security.
Smart technology, by contrast, is defined by its lack of guidelines. Its appeal is in its originality, so those wanting to implement new ideas need to invest in the concept and ride out the teething problems. Once the technology is suitably affordable, it can be widely adopted – but with a severe dip in the novelty factor (and, by extension, the competitive advantage it offers).
It’s therefore not a case of what can organisations afford but what’s going to give them the best return on investment. Despite the increased attention that the public pays to information security, it’s usually impossible to know whether an organisation has lax security until it suffers a breach.
That’s hardly an effective security strategy, because customers aren’t going to turn a blind eye to a data breach just because your organisation has an Internet-enabled mini-fridge. Unfortunately, it’s a lesson that hotels are only learning after the fact.
Regardless, hotels will be equally affected if they don’t invest in innovation. A high-end hotel needs to keep up with the vanguard, and that’s becoming an increasingly uphill battle.
But this only calcifies the argument that innovation and security are not in opposition. Rather, hotels need to realise that both smart tech and cyber attacks are inevitable, so their tech needs to be more secure than their competitors’.
Many hotels will rightfully argue that there are security benefits to high-end technology. Let’s go back to robot receptionists, which not only give guests a unique check-in experience but also mitigate the risk of data breaches caused by human error.
By taking the human out of the equation, hotels avoid the risk that a member of staff will provide a guest with incorrect information or enter personal data into the wrong fields. Likewise, it removes the possibility for insider misuse; guests enter their personal and payment details directly into the hotel’s systems, bypassing the possibility of a receptionist misappropriating the information.
On the face of it, there are no downsides. Automating the reception desk enables the hotel to speed up transactions, cut costs and improve its security.
But that’s only the case if the devices abide by Asimov’s Three Laws of Robotics, which is easier said than done, as Japan’s Henn-na Hotel, or ‘Weird Hotel’, learned to its cost. It opened in 2015 as the world’s first hotel run mostly by robots, including receptionists that were modelled on dinosaurs.
In a development that shouldn’t surprise anyone (particularly fans of Michael Crichton), things quickly went wrong.
The 243 robots were tasked with managing every aspect of guests’ experience, including check-in, luggage carrying, concierge and in-room assistance, but visitors soon began complaining and the robots were quickly terminated.
Yoshihisa Ishikawa, for example, told the Wall Street Journal that he was repeatedly awoken in the middle of the night by the in-room assistance as his snoring triggered the robot to ask, “Sorry, I couldn’t catch that. Could you repeat your request?”
The hard-of-hearing robot incident isn’t just a case of technology disrupting guests; it’s a privacy breach. The only thing that makes the public trust that personal assistance devices, like Alexa and Siri, aren’t constantly spying on us is the belief that the devices only activate when their owner utters a specific phrase.
If a machine can mistake the sound of snoring for an activation phrase, who’s to say that the technology isn’t always listening in on our conversations?
It’s one thing to have a personal device listening to you at home, but there’s something altogether more sinister about a hotel spying on its guests. Even perfectly well-intentioned consequences, like the windows opening when you mention to a fellow guest that you’re hot, seem unsettling, and that’s before you get on to the ways the tech could be used to make money from you.
It might not have been a Westworld-style nightmare, but the Weird Hotel’s pursuit of novelty created a worrying situation that other hotels need to acknowledge. Innovation cannot be the goal itself; rather, you must consider what the technology achieves and its potential unintended consequences.
But why strive for robots at all? The technology has limited capabilities, with many guests reporting communication issues, and there are plenty of other innovations that are affordable, implementable, and give guests something they actually want.
Which technologies can help?
According to a Hospitality Tech survey, the industry’s top two challenges are a lack of IT budget and outdated technology architecture. These are core principles of security, and must be addressed if any guest-facing technology is going to be effective and secure.
As for improving user experience, RevFine suggests that biometrics is one of the most significant emerging trends. This is the case across all industries – recognition technology is set to overhaul payment card transactions later this year, for example – but there are clear benefits to biometrics in hotels.
The technology could be used alongside or instead of key cards when accessing your room, and it could be linked to a variety of services across the hotel. With a swipe of your finger, you could add a meal to your tab or enter the VIP lounge.
For your organisation to get the most out of biometrics, or any tech, you need to ensure that it’s integrated with the rest of your systems. You cannot think of technology as a replacement for people; rather, the two support each other alongside processes as the three core aspects of information security.
A version of this article originally appeared on itgovernance.co.uk.