We’re now in the heavy holiday season for the hospitality industry, with Christmas and New Year’s Day fast approaching. During this time, your hotels are jam-packed and your staff are rushing back and forth to take care of your guests’ needs. That must mean one thing: it’s peak season for cyberattackers.
Bad actors know that now is a great time to gain access to your sensitive data, because your personnel are distracted with the holiday rush. The question isn’t IF your properties will be attacked, but WHEN and HOW.
Even though you can count on an attack, that doesn’t mean your hotels have to fall victim to it. Here’s some ideas for how to protect your hotel properties’ sensitive data from opportunistic cyberattacks during the holidays.
TCT Portal Solves Hotels’ Most Complex Compliance Needs
Don’t Cut Corners with Background Checks
If you’re conducting seasonal hiring, you may be bringing in bad actors who will increase the risk of taking advantage of the opportunity to breach your data from the inside of your organization. You may need to fill your staffing needs fast, but not fast enough to justify a very public data breach.
I can’t emphasize enough how important it is to do your due diligence and perform a thorough background check on every single applicant you intend to hire. It may be perceived to slow down your hiring process, but in many cases background checks have the capability to be run online and within hours. So don’t allow this misconception to guide your organization down the wrong path.
Get your personalized demo
See what TCT Portal can do for your organization
Train and Retrain Your Employees for Cybersecurity Awareness
If your organization hires seasonal employees to help with the holiday rush, it’s critical to ensure that they are well trained for cybersecurity awareness best practices, and that they know how to watch for anything suspicious.
Since they’re only around for a few weeks and you need to get seasonal employees onboarded fast, it may be tempting to skim through security-related training. This would be a great mistake. Bad actors are counting on your staff to be lax with best practices, and an undertrained seasonal employee is just the ticket they need to gain access to your systems.
Your busiest times are the most important times to double-down on security training for all your employees — whether they’re brand new or celebrating their twentieth year with you.
If your holiday security training is simply a rehashed version of stale training sessions from years ago, your hotels will be woefully unprepared to protect your company’s sensitive data and financial transactions. While the same old holiday scams are in play in 2025, you’ll need to prepare your staff for the latest cyber threats at each hotel location.
Don’t limit holiday training exclusively to hotel employees. Corporate staff should be trained and retrained, including IT personnel, online customer service, and compliance teams.
How to Train Your Compliance Personnel for Greater Security Success
Heighten Your Physical Security
You can’t have adequate cybersecurity without adequate physical security. With more guests and a full property that’s buzzing with bodies, it’s easy to let physical security requirements slip. The holiday season is the most important time to get anal retentive about following proper procedures. Monitor your physical security throughout the day, and keep your staff accountable to do the same.
Some examples of physical security best practices that your hotel staff should be following:
- Check your surveillance system to be sure every camera is working properly and positioned correctly.
- Ensure the right doors are locked at the right times and that no external entrances are propped open, even for a moment.
- Verify that your lobby’s security and safety procedures are properly followed at all times.
- Check POS devices for any signs of tampering.
- Make sure your POS and computer terminals are inaccessible to guests. USB ports should be out of reach.
- Shut off every open USB port that you don’t need to use.
- Train staff never to hold a locked door open for others out of politeness — even fellow employees.
Physical security extends to guest policies, too. Tis the season to be diligent about validating guest identities. The busier your lobby, the more likely you are to get brazen individuals who come in and attempt to gain access to sensitive data (such as guest information, taking over their credit card accounts or guest loyalty accounts).
Because it’s busy, it’s critical to pay even more special attention to best practices — validating and vetting guests appropriately before taking action and potentially revealing any sensitive data.
Ramp Up Your Ransomware Vigilance
Your busiest periods are prime time for increased ransomware and malware attacks. Even obvious phishing attacks can be successful when your employees are rushed with more work and more demands for their attention.
Monitor your devices and the emails and text messages that come to your systems through various channels. Be extra vigilant and question every email and phone number that you don’t recognize. If you receive an unexpected call or message — even if it looks like it’s from someone you know — treat it with suspicion.
Deep fake technology is extremely advanced, and attackers can now use AI to replicate anyone’s voice. Combine that with phone number masking technology and a bad actor can easily pass themselves off as the branch manager or an employee.
Likewise, be aware of social engineering style attacks, and train your employees to recognize them. Attackers may attempt to gain access to guest information or credit card data. Social engineering tactics can come from any number of channels, including face-to-face interactions, emails/texts, or phone calls.
Protect Your Internal Networks
For the hospitality industry, firewalls, antivirus, and the internal network are more important than ever during the holidays. Perform thorough security testing a couple of months in advance of the busy season to ensure that your internal systems are ready for the attacks they are going to receive throughout the holiday rush.
This gives you near-term visibility to potential issues, with plenty of time to remediate anything that needs to be addressed.
Also go into a lockdown period during the holidays to prevent any systematic changes happening that may have the opportunity to expose additional unintended security vulnerabilities in your systems.
During this testing, take all of your remediation very seriously. I recommend not only remediating your externally facing highs and critical items. Anything you leave open is a potential loophole that could be leveraged with another vulnerability to create a larger vulnerability. Anything that appears to be benign informational, low, or medium issues could be combined to create a much larger problem.
Inventory and Monitor Every Device
As a hospitality organization, you have a lot of technology that may be susceptible to attacks — for example, smart thermostats and smart locks. You may have integrated a voice-assisted help line. These advanced technologies can provide new opportunities for bad actors to gain access to your internal system and exfiltrate sensitive data. Just because they use the phrase AI doesn’t necessarily mean they are actually intelligent.
Stay on top of new threats and new vulnerabilities that could put your hotels at risk whenever you adopt new technologies or devices.
It isn’t just the server room, the firewall, or the POS systems that provide entry points for bad actors. Even a smart TV can be a gateway to your sensitive information.
The challenge for many organizations in the hospitality industry is that when you acquire a new property, you inherit that property’s systems and devices. Often, those systems will operate on different technologies from your other properties. More diversity means more opportunities for failure — especially if you don’t have a complete and accurate device inventory to work off of.
When you test your systems, make sure that you hit every single device at every single property and corporate location. That includes door badge systems, smart devices, networked printers — you name it. Even smart mirrors. If it draws an IP address, it can be used to gain access to your internal network.
Vet Your Vendors
Your vendors could be a security risk for your hotel organization. Make sure that every third-party vendor you use is doing its due diligence on their security practices. This goes for HVAC services, hosting providers, staffing agencies, janitorial services, equipment repair, and more. If they have access to your premises or your systems, they must be thoroughly vetted.
Ideally, you should be auditing vendors based on the timing of their compliance paperwork, about a month after their own annual compliance audits ought to have been completed. That way, you have the latest information about the state of their security, not something that’s already 10 or 11 months out of date.
You also mitigate the risk of having a vendor that’s not taking their responsibilities seriously going rogue for the better part of a year, unnoticed.
May Your Holiday Season Be Merry and Protected
No one in the hospitality industry wants to find out that their successful busy period was also the time when their sensitive data was breached. Both the revenue and goodwill you gained from the holiday rush would be gone in an instant once you discover you have a data breach to report.
But following these best practices can help keep your hotel organization safe and protected from attacks along every attack vector. Make this your most joyous and successful holiday season yet.
Get the good stuff on building out a robust cybersecurity and compliance program — subscribe to TCT’s podcast, Compliance Unlimited.
Straight talk to make compliance management suck less
Check out the TCT podcast
