Here’s a no-brainer: Businesses take economic risks seriously when they start to threaten the bottom line. Cyber security is the perfect example of this dynamic, and the hospitality industry is perhaps an ideal case study.

With troves of financial information and detailed personal data on guests shared across systems, it’s not difficult to see why cyber criminals love the hospitality industry. And given the financial pressures facing the hospitality world in this down economy, it’s also understandable that many have not responded as quickly to this emerging threat as other businesses in different sectors of the economy.

But there are signs the hospitality sector is experiencing a paradigm shift as industry leaders speak openly of data security as a crucial cost of doing business. Clearly security is on the minds of hoteliers lately, and increasingly it’s on the minds of guests.

This is a huge step forward. The simple truth is prevention is always cheaper and more effective than responding to a messy crisis. But before adequate prevention plans can be created, a change in mindset must take place throughout the industry that includes an acknowledgment that data security must be integrated into the business plan.

PCI-DSS compliance for credit card transactions has been a start, but it goes beyond that to include protection of other types of sensitive client data hotels maintain. After all, you’ve got some very sophisticated hackers out there, and many, if not all of the data breaches I’ve examined recently have involved hotels that were already PCI compliant.

We all wish there was a quick and easy fix, but truly effective data security invariably is a process rather than a product. Fort Knox is not the goal — that’s an impossibility. Instead, a sound data security plan can be broken down into three buckets:

Preparation: Prevention pays enormous, but ultimately unseen dividends. It’s hard to put a value on all the work resulting in foiled attack. Preparation involves a willingness to supplement internal security, which cannot be expected to be all knowing.

All too often, data breach disclosures reveal intruders have been poking around networks at will for months before a breach is spotted. That’s the kind of embarrassing PR any hotel should be fearful of, and that’s where the value of preparation really shines.

Response: When hotels experience a breach — notice I say “when” rather than “if” — the goal should be to identify the intrusion as soon as it occurs and kick the bad guys off your system immediately before serious damage can be done.

If an attack is detected, there are a number of basic steps to take. At a very basic level, responding to an intrusion includes things like immediately changing passwords and leaving computers powered on, but disconnected from the Internet if possible. To assist any follow-up forensic examinations, compromised systems should be isolated and preserved.

Post-Mortem: Learn from your mistakes by assessing gaps in your response plan and train staff based on the event. Stay current on changing threats and laws, and update all plans and training.
Hotels worldwide have been planning for the resort season for months with visions of full rooms and satisfied guests. My wish and firm belief for 2012 is that more hotels will include data security in those plans.

Erin Nealy Cox leads the cybercrime response division of international data security and digital forensics firm Stroz Friedberg. She can be reached at enealycox@strozfriedberg.com