Hotel security no longer ends at reception
Hotels have spent two decades building a culture of physical security. That is a major achievement. The problem, however, is that the same effort has not been transferred to the digital environment, and by now that environment is just as complex as the operation of the hotel itself.
Author
Jaime Dordio
A type of security that has been internalised
For years, the hotel sector has worked on physical security until it has become almost automatic. Today, nobody questions whether a camera is needed in a corridor or whether there should be control at reception. It is taken for granted. It is part of the operation, just like cleaning a room or managing a booking. It has taken time to get here, but it has been achieved.
The same has not happened with cybersecurity. A hotel is still a physical space, but in practice it operates as a fairly complex technological system. Bookings, personal data, payments, access controls, third-party integrations, and more, all coexist in the same environment where people are constantly coming in and out every day. And that combination has implications that are often not fully understood.
When the “technical” stops being secondary
Cybersecurity has usually been treated as something technical, almost external to the business. Something that depends on providers, systems, on “the IT people”. Not as a structural part of the operation. And for a time, that was enough to keep things running.
It no longer is. And the change seen in recent years has not been gradual. It has a lot to do with how attacks have evolved. Years ago, there were certain signs that made it possible to detect that something was not right: a strange email, a suspicious link, a tone that did not fit. With a minimum amount of training, the team could stop many of those attempts.
Today, that has changed completely. Attacks are no longer generic, they are specific. They are built using real information, often obtained from previous leaks or even from open sources. They adapt to the type of hotel, the type of guest, the language normally used by the team. A message may look like a normal communication from an OTA, with a correct booking number, the name of a real guest and an exact amount. There are no obvious mistakes. There is nothing that “stands out” at first glance.
And they are also carried out at scale. What used to require time and knowledge can now be automated. The context has changed the speed of the problem more than its nature.
The operational reality of the hotel
At the same time, if you look inside, the hotel environment does not exactly make things easier. There are numerous systems running at once, many tools that have been added over the years: PMS, channel managers, marketing platforms, payment systems, traveller registration, if not more. Each one serves its purpose, but together they create a fairly broad surface area.
On top of that comes the reality of day-to-day operations: shifts, staff turnover, shared accounts on devices, passwords on post-its, remote access for providers that is opened to resolve incidents and sometimes left open longer than it should be. A lot of paper documentation coexisting with digital systems.
Quick decisions because the customer is waiting right in front of you.
This is not a problem of poor management. It is the reality of the sector. But it is a context in which, unless a certain order is put in place, security can almost unconsciously fall into the background.
What NIS2 is really forcing
This is where it starts to make sense to talk about NIS2, even though it is often perceived as yet another obligation. In reality, it does not introduce anything especially alien to what already exists in a hotel. What it does is force organisations to look at the whole picture with a certain logic: to know which systems are critical, who has access to them, from where and under what controls. And, above all, what happens when something fails.
When analysed calmly, it is usually quite clear where to start. The systems that handle guest data, payments, the internal network, access controls, the relationship with technology providers… there is no need to overcomplicate things in order to identify where the sensitive points are. The problem is that, in many cases, this analysis has never been carried out in a structured way.
A sector that has already been through something similar
The sector has already shown that it knows how to adapt to this kind of situation. It did so with physical security. Protocols were established, staff were trained, costs were assumed and it was integrated into the culture of the business until it stopped being a constant concern.
With cybersecurity, the process is similar, but the pace is different. Everything evolves faster and the pressure is greater.
And this is where the hardest point to accept appears: it is no longer optional, not because a directive says so, but because the context itself has changed. A hotel, because of how it operates, is an exposed environment: high traffic of people, many connected systems, a lot of sensitive information. That makes it a possible target, even if from the inside it is not always perceived that way.
Reducing noise, not adding more problems
The risk, moreover, is not especially visible because there is no clear physical sign. There is no incident that can be seen coming in advance and, by the time it is detected, quite often some time has already passed. That is what makes many teams most uncomfortable: the feeling of not having real control over what may be happening.
That is why, rather than adding layers of complexity, the approach should be the exact opposite: organise what already exists, close obvious gaps, establish clear criteria and, from there, be able to operate with a certain peace of mind. Just as is done with physical security.
A hotel already has enough fronts open without turning cybersecurity into yet another one that demands constant attention. The reasonable thing is for it to be resolved in a way that does not interfere with day-to-day operations.
Returning to the focus of the business
What can make the most sense for hotel companies is to rely on a specialised team. Not so much to introduce technology, but to structure, support and take on that part which, while critical, should not consume the business’s internal resources.
In the end, it is about recovering focus. Ensuring that security — digital security too — stops being a vague concern and comes under control. And that the hotel can continue operating as what it is: a business that has to look after its customers and function normally, without having to constantly watch what might go wrong.