Cybersecurity in the hospitality industry

Hospitality, one of the most vulnerable industries

People strongly believe that travel is an essential ingredient of long-lasting happiness. They want to open their lives to new paths of excitement and adventure, visit new places, experience new cultures, grow into better and happier individuals. Travel builds self-confidence, brings people closer, provides with new experiences and memories, breaks routine, and allows to meet people from all over the world. Travellers expect friendship, love, adventure, surprises. A nice hotel room and everything else that the hospitality industry can offer, is the most important part of this experience.

Unfortunately, managers and employees of firms and organizations of the public and the private sector staying in hotel rooms are main targets of foreign intelligence services (including but not limited to the intelligence service of the destination country), state-sponsored groups, the organized crime, even foreign businesses that exploit all opportunities to acquire sensitive or classified information.

People travelling are vulnerable due to the limited control they exercise over their immediate surroundings. The hospitality industry must protect its clients, and the majority of safety and security related challenges can be managed through good security planning, sound security practices, and security awareness and training of managers and employees in every venue and hotel chain.

A new cybersecurity culture for the hospitality industry is necessary. It refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms, values, and expectations of managers and employees in every venue and hotel chain, regarding security and cybersecurity. Managers and employees must be involved in the prevention, detection, and response to deliberate malicious acts that target systems, persons, and data.

During the past decades, hotels and hotel chains have made substantial investments in security systems and IT infrastructure. Unfortunately, they have not paid so much attention in training their staff to protect these systems from cyber attacks. Cybersecurity awareness and training for all managers and employees that have access to sensitive or confidential information is necessary, in order to make information security considerations an integral part of every business.

Hospitality is one of the most vulnerable to cyber attacks industries. Adversaries have usually the following objectives:

1. To make money.

2. To have access to confidential information (business intelligence, espionage).

3. To attack the country and the critical infrastructure.

Our training programs

Cyber Risk GmbH is offering training programs for managers and employees in the hospitality industry. We also offer tailored-made training that assist the Board of Directors and the CEO in understanding cybersecurity challenges.

The Board of Directors and the CEO of entities in the hospitality industry must understand that they are high value targets. For them, standard security awareness programs are not going to suffice. The way they are being targeted is anything but standard or usual. They are the recipients of the most sophisticated, tailored attacks, including state-sponsored attacks. These are attacks that are often well planned, well crafted, and employ advanced psychological techniques able to sway a target towards a desired (compromising) behavior without raising any alarms.

Countries expand their global intelligence footprint to better support their growing political, economic, and security interests around the world, increasingly challenging existing alliances and partnerships. They employ an array of tools, especially influence campaigns, to advance their interests or undermine the interests of other countries. They turn a power vacuum into an opportunity.

Countries use proxies (state-sponsored groups, organizations, organized crime, etc.) as a way to accomplish national objectives while limiting cost, reducing the risk of direct conflict, and maintaining plausible deniability.

With plausible deniability, even if the target country is able to attribute an attack to an actor, it is unable to provide evidence that a link exists between the actor and the country that sponsors the attack.

For our training programs, you may visit:

Hotel Cybersecurity Training.

Hotel Cybersecurity Board Training.

Contact us

Cyber Risk GmbH
Dammstrasse 16
8810 Horgen
Tel: +41 79 505 89 60


We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.