The possibilities for artificial intelligence (AI) are expanding exponentially in the hospitality industry. Around the world, hotels are already reaping the benefits of AI to streamline operations and enhance guest experiences.
For example, hotels are implementing the use of AI-powered chatbots to act as virtual concierges, instantly responding to guest queries, offering 24/7 support for room service and other amenities, and even using predictive analytics to provide personalized recommendations for things like dietary preferences and room upgrades. AI-integrated Internet of Things (IoT) systems, meanwhile, give staff seamless behind-the-scenes control, with hospitality companies using the technology to monitor energy consumption and optimize lighting, heating, and cooling in their properties.
But energy monitoring and temperature control are just scraping the surface of what AI can do for hoteliers. In Las Vegas, construction is underway on a new “smart hotel” that promises to be the world’s first truly AI-powered hotel, leaning on the technology for top-to-bottom optimization with dynamic room allocation, a “gamified Q&A session” for check-in, and a do-it-all concierge AI system and personal assistant.
While AI can bring greater convenience for guests and improved efficiency for hoteliers, it also creates new cybersecurity challenges and opportunities for cyberattacks.
Check-In kiosks create opportunities for data theft
AI can personalize guest experiences, streamline reservations and check-ins, and even optimize housekeeping schedules. But doing all this requires data. A lot of data. For hoteliers, this creates new concerns for data privacy—and new opportunities for data theft.
To automate check-in from start to finish, self-service kiosks must collect and process scores of guests’ personal and financial data (e.g., credit card numbers, names, addresses, and other personally identifiable information known as PII). In doing so, they become a virtual stockpile of sensitive information—and an attractive target for hackers hoping to steal PII and sell it on the dark web.
Hackers can compromise self-service check-in kiosks via malware, brute-force, or other attacks. When they do, they can not only make off with guests’ data but potentially infect a hotel’s entire network.
IoT devices introduce more (costly) vulnerabilities
Similar risks arise from IoT devices. Modern hotels aim to create completely seamless, personalized guest experiences with smart locks, smart thermostats, and many other IoT devices. But these IoT devices have also become a target for threat actors.
By hacking into just one insecure IoT device, bad actors can potentially gain unauthorized access to a hotel’s entire network, setting the stage for more cyber incidents like ransomware attacks, data breaches, etc. In fact, a Forrester report shows that “34% of enterprises that fell victim to a breach via IoT devices faced higher cumulative breach costs than cyberattacks on non-IoT devices, ranging between $5 million and $10 million.”
Unfortunately, despite the growing popularity of IoT in hospitality, the devices remain notoriously insecure, making them an attractive target for cyberattackers.
Third-party service providers add another layer of risk
Hacking on-site devices isn’t the only way bad actors can infiltrate hotels’ networks. They can also take advantage of a hotel’s third-party connections to gain unauthorized access and disrupt operations.
For example, hoteliers often enlist the help of a third-party vendor to manage an AI-powered chatbot or self-service check-in kiosk. While this means the hotel offloads the work of building and maintaining the technology, it also means relinquishing full control and visibility of all the data these systems collect and process (i.e., hotel guests’ PII).
Nonetheless, in the event of a cyber incident and data breach, the impacted hotel is the one responsible for the loss of customer data, as well as the legal and financial repercussions that come with it.
Bottom line: Working with AI service providers can greatly enhance hotel operations—but it also expands your supply chain and introduces new opportunities for cybersecurity risks.
Protecting your hotel from new AI cybersecurity risk
Undoubtedly, integrating AI-powered technology brings new cybersecurity risks for hotels, such as more complex supply chains, greater IoT vulnerabilities, and new opportunities for data theft. But slowing AI adoption isn’t the right course of action either—not when considering the many opportunities for ROI on AI in hospitality.
Instead, hotels can take a cyber-focused approach to AI integration by prioritizing best practices like:
Strategic data collection: Limit guest data collection as much as possible. By only collecting and storing what’s absolutely necessary, hotels can mitigate the damage of potential data breaches.
Data encryption: Guest data should always be kept secure—both when it’s being shared and when it’s being stored—by using strong encryption methods to protect it from unauthorized access.
Network segmentation: Divide the hotel’s network into isolated segments (e.g., Wi-Fi, IoT devices, etc.). This way, if bad actors do successfully hack IoT devices or check-in kiosks, the breach can be contained by limiting their ability to move across systems.
Third-party security assessments: Regularly audit third-party service providers’ cybersecurity postures to identify cyber risks in your supply chain (and take steps to mitigate them) before hackers get a chance to exploit them.
For proactive protection from new AI-related cybersecurity risks, participating in specialized industry intelligence-sharing initiatives is key to a comprehensive defense strategy. By joining forces with other hospitality organizations, individual hotels can dramatically increase their own cyber intelligence to stay on top of evolving threats—and stay one step ahead of hackers.
Contributed by Pam Lindemoen, chief security officer and vice president, R&H ISAC, Vienna, Virginia
