By Lena Combs, CPA, CGMA, RRP

Withum Practice Leader, Hospitality Services

Cybersecurity is not just a buzzword. In today’s technology-abundant world, it has become a critical undertaking for companies across all industries – including hospitality. The reality is that threats are lurking around each digital corner: attacks, the headlines proclaim, are now a question of “when,” not “if.”

In fact, the FBI’s 2018 Internet Crime Report revealed that upwards of $2.7 billion was lost to cybercrime. Also sounding the alarm is Juniper Research, which further predicts over 146 billion records will be stolen by 2023. It only takes a quick look at the widely publicized data breaches of corporate giants like Equifax and Facebook to know that the issue is dire and no company nor industry is safe. Especially not hotel operators.

Hotels are among the most affected cyberattack victims

Trustwave’s 2018 Global Security Report lists hospitality as one of the top three industries most vulnerable to payment card breaches. Other estimates project that hotels are the unwelcome recipients of around 20% of all cyberattacks.

Additional anecdotal evidence supports these numbers. One need not look further than Marriott’s Starwood chain, which recently disclosed the theft of over 25 million passport numbers and 380 million unique guests’ personal information. Such losses, however, are not new to the industry. Hilton, Hyatt and Trump hotels have all been cited for large-scale data negligence over the past few years.

Such unfortunate trends should not come as much of a surprise since hotels are hotbeds of sensitive information. Their data is spread out across porous digital systems and their sales are usually conducted through weak point-of-sale (POS) systems. The rigid security measures enforced at banks and tech companies simply do not come as naturally to hotels. Afterall, the industry has been and continues to be focused on cultivating a user-friendly atmosphere. Unfortunately, for hackers this combination is nothing short of a goldmine.

The risks of attack extend far beyond poor ethics

Phishing. Malware. Web attacks. Denial of service. The practical implications of these and other cyberattacks are far-reaching for any business – hotels very much included. Perhaps the greatest implication of a widespread data scandal is the brand’s integrity. Since a business’ hard-earned reputation relies heavily on instilling confidence in its customer base, a breach of trust is sure to compromise that relationship. And if an attack affects millions and is publicized to millions more, the impact on brand equity can be difficult to recover.

This begs another extremely important question: how does a hospitality owner/operator respond to such an egregious violation? Marriott, for instance, was criticized for not only the breach, but also for responding inadequately and unprofessionally. This is an example of how a truly terrible situation was quickly made even worse.

Beyond trust, the actual value of the brand in question now becomes cheapened. This also has additional far-reaching effects when a single brand is part of a larger national or multi-national hospitality company. With the speed of light, all of the brands and the parent company are tied to that with the breach. In short, as more and more consumers become aware of the importance of reliable cybersecurity, a hotel that neglects this pain point is compromising the strength of its product among its competitive set.

Of course, there is the loss-of-revenue aspect to consider. Immediate reactions of outrage and continuous erosion of brand integrity both stand to hurt profits, as does the possibility of fines or reparation payments.

Legal action may pose the greatest risk of all, especially with the General Data Protection Regulation (GDPR) currently working to protect data privacy on a global scale. Violations can be devastating. Take Hilton, for example: While the brand “only” lost $700,000 back in 2015, today it could be fined up to $420 million.

Hospitality companies need to be hyper-vigilant

Considering that the annual frequency and severity of cyberattacks are only rising, the time is now to establish organization-wide security operations, recovery plans and budget allocations. To cover all angles of a potential hack, a cohesive top-to-bottom strategy is required and is best delegated to a trusted strategic advisor with depth of experience in cybersecurity breach prevention AND resolution.

For example, Withum’s cyber services team assists hospitality providers in identifying their valuable data assets, where and how they are stored and the strength of their current safeguards and detection vulnerabilities. By analyzing current activities, software infrastructure and data logs, Withum helps determine where the holes lie in the system and how to fix them.

Next, the goal becomes full-scale protection. From the technical side, this includes setting up firewalls and securing weak points (such as POS terminals). Furthermore, this is where regulatory compliance comes into play; beyond ensuring that it is currently maintained, field experts can come in to educate employees on best practices moving forward.

Now, what if a breach does occur? There needs to be an efficient method for detecting the attack and mitigating any damages. Lastly, to avoid the pitfalls noted above, a predetermined plan to address this worst-case scenario is vital. From reviewing insurance policies to preparing for impending litigation, recovery is a process best started with a go-to advisor before it is needed.

Undoubtedly, knowing where to begin this whole process is daunting. And being hacked can be devastating to the brand and bottom line. While most in-house teams lack the depth of resources offered by a one-stop cybersecurity advisor, there is immense value in collaborating with an advisor with a proven track-record that is capable of covering all these bases. The only way to avoid being another statistic in future Internet Crime Reports is by staying as ahead of the looming threats as possible.


Withum is a forward-thinking, technology-driven advisory and accounting firm, committed to helping clients be more profitable, efficient and productive in the modern business landscape. For further information about Withum and the services provided to the hospitality industry, contact Lena Combs ( at (407) 849-1569 or visit