It seems like every week we see another major hospitality company reporting a cyber security breach where hackers get access to customer and other sensitive information (click here for recent news reports).
Cyber security experts claim that it’s not a matter of whether your company will be attacked but when. That’s a harsh reality when you consider that these security breaches can do extraordinary and irreparable damage from a reputational and financial standpoint.
If a cyber-attack can’t be prevented, how can one manage the risk associated with an attack to protect one’s company and customers?
Tom Bullen, a risk management advisor at AETHOS Consulting Group and partner at Premier Risk Management comments: “Companies need to be prepared and plan for the consequences of a cyber-attack as well as many other threats as part of a comprehensive risk management program”. Bullen continues, stating “Risk is constant and dynamic, especially in the area of cyber security where the hackers get ‘smarter’ every day.”
Bullen therefore highlights that it is worthwhile to regularly validate one’s risk exposure and to review one’s risk management disciplines. He says that it is crucial to proactively:
- Identify all the risks to which the company is exposed to.
- Quantify and prioritize each category of risk.
- Establish ways to mitigate these risks, including the appropriate insurance coverage as part of a comprehensive risk management strategy.
- Perform periodic reviews (at least annually) of changes in the company or its environment and adapt the program accordingly.
The risk exposures identified along with the plans to mitigate these risks need to be communicated to and understood by the executive leadership of a company as well as the Board of Directors. These issues frequently cross over multiple businesses and functional areas of the company and require oversight at the highest levels of the organization – it’s not just an IT issue!
Damages from a cyber security breach can be costly to repair. For instance, industry research has shown that, on average, it costs US $190 per individual to notify customers that a breach has occurred, that their personal data may be compromised and to offer them assistance to protect their identity going forward. If a major hotel company has their customer data compromised, that could mean that hundreds of thousands of customer could be affected – imagine the costs involved.
The bottom line is that hospitality companies are cyber-attacked every day. From an enterprise perspective, all companies can do is properly plan for the potential outcomes though an effective risk management program and ensure that executive management and the Board of Directors are properly informed and engaged.