Foresight and innovation in
the global hotel industry

DO’S & DON’TS of Hotel Data Security Awareness Training

Chief Information Officer, VENZA
David Christiansen darkDavid Christiansen light

INTRODUCTION

Hospitality is the third-most targeted industry by cyber criminals and, unfortunately, over 30% of hotels have experienced a breach.

Despite this, however, the industry is also the single most under-trained—over 84% of hospitality employees have not received data security awareness training.

This gap presents a major risk. Because over 80% of all cybersecurity incidents begin with an element of social engineering—those attacks that target employees and attempt to manipulate them into disclosing sensitive information or compromising system security—shoring up your “human firewall” is critical to a strong defense.

One of the best ways to do so is through security awareness training. With dedicated, refined instruction about the principles of data protection, the most common dangers, and techniques to remain secure, your teams can learn the best practices of data security and improve their resilience to threats.

The following are some best practices for making data security awareness training effective:

DO’S

  1. Teach Fundamentals: Understanding how to protect payment cards and other sensitive information, maintain email hygiene, and be aware of social engineering provide an essential security foundation.
  2. Be Comprehensive: Train against a wide variety of techniques and scenarios, including phishing, smishing, and vishing, to prepare for unexpected threats.
  3. Use Hospitality-Specific Content: Hoteliers face unique challenges, so training should be tailored to match. Use examples from the Front Desk, Food & Beverage, Housekeeping, and IT to cover real-world risks.
  4. Include All Staff: Aim for 100% training completion by including all employees, not just managers or those who handle credit card information.
  5. Adapt for Role: There is no one-size-fits-all cybersecurity solution. Training should account for nuances in staff roles and levels of responsibility.
  6. Involve Leadership: Set your organisation’s tone from the top by having key leadership commit to the enterprise of data protection and demonstrate it in their daily practices.
  7. Communicate Clearly: Define the purpose, goals, and method of training delivery with clear messages. Ensure these are echoed regularly by General Managers and on-property leaders.
  8. Reinforce Learning: Supplement courses with ongoing learning interventions. Use breakroom posters, short videos, activities, and games to extend and build upon formal experiences.
  9. Build a Culture: Security awareness succeeds when it is embedded in your organisational DNA. It should become a value, not just a practice.
  10. Appoint Training Champions: Designate a member of your corporate or HR team to lead the training rollout, encourage participation, and follow the results.
  11. Dedicate a Data Security Month: Training is not one-and-done, but designating a month to prioritize information security can help establish accountability for completion.
  12. Make Incentives Positive: Reward strong performance to make the training experience engaging and fun. Everyone responds well to prizes, acknowledgment, and encouragement.
  13. Set Deadlines: Prevent training from becoming an afterthought by setting clear deadlines for completion.
  14. Train Annually: Best practices and key requirements like PCI DSS require training must be completed on a yearly basis, at a minimum.
  15. Track Results: Visibility is the first step in defense. With clear results, you’ll be equipped to identify and mitigate vulnerabilities.

DON’TS

  1. Take Security for Granted: Over 60% of people are unaware of basic threats like phishing. Don't assume members of your organisation are aware of cybersecurity threats and will prioritize data security without your intentional efforts.
  2. Neglect the Human Firewall: Technological solutions like firewall management or endpoint detection and response are necessary tools, but incomplete without addressing the human causes of many security failures.
  3. Overwhelm with Jargon: Avoid using complex technical language that might confuse rather than enlighten, especially for non-technical associates.
  4. Ignore Learning Styles: Effective training should be delivered through multiple channels to resonate with different levels of expertise and experience.
  5. Punish Employees: Avoid using punitive measures as a response to failures. Instead, focus on encouragement and constructive feedback to improve outcomes.
  6. Overlook Feedback: Do not dismiss the importance of feedback from training participants. It is essential for refining future sessions.
  7. Use Forgettable Lessons: Employ engaging, memorable training materials that resonate with the day-to-day experiences of associates.
  8. Miss New Threats: Cyber threats are constantly evolving. Make sure your training reflects the latest dangers such as quishing, voice spoofing, and more.
  9. Assume Vendors are Secure: Many hospitality breaches are caused by vulnerabilities in the software of third-party vendors. Regularly assess your providers to ensure they adhere to the best practices for data security and instruct team members on how to identify these risks and protect their properties from them.
  10. Forget Organisational Policy: Training must be reinforced with formal, written organisational policies that govern acceptable use, email security, and more.
  11. Limit Training to Once a Year: Avoid the pitfall of infrequent training. Regular updates and refreshers are necessary to keep security top of mind.
  12. Overfocus on Compliance: Compliance is not security. Don’t make the mistake of simply checking a box at the expense of meaningful data protection.
  13. Rely Solely on IT: Don’t delegate all responsibility for data security to your IT department. Data security is everyone’s responsibility.
  14. Overburden Your Team: Consider group training efforts for associates that are busy or don’t have ready computer access. Use short, impactful trainings that cover the essentials.
  15. Do It All Yourself: Leverage expertise from outside your organisation to enhance the effectiveness of your training regimen and reduce the burden on your staff. Guidance from training professionals is a difference-maker.

CONCLUSION

Security awareness training can play an important role in protecting hoteliers against cyber threats. By hardening the “human firewall,” criminals will find it more difficult to execute social engineering and other attacks that risk creating breaches, financial loss, and severe reputational damage. However, to be successful, training must be designed and delivered carefully. By adhering to the best practices described above, hoteliers can ensure that their associates are not only informed but also equipped to act as the first line of defense against cyber threats. Ultimately, a proactive and comprehensive data security awareness program is an investment in your hotel’s future—safeguarding not just data but the trust of guests and the integrity of your brand.