From the moment a guest hands over an ID at check-in to the final credit card transaction at checkout, hotels collect and manage a dense concentration of personal data. For smaller operators, that responsibility is becoming increasingly difficult to manage as cyber threats grow more advanced—and more indiscriminate.
“Hotels come into contact with so much personal information,” said Chris Spencer, director/head of global product security, Assa Abloy Global Solutions. “You get to a check-in desk, you pass over a passport or a driver’s license and that might be scanned or copied. Then you have to think about the lifecycle of that data—how long you keep it, how you protect it and how you dispose of it properly.”
For large brands, those processes are often supported by dedicated cybersecurity teams and significant budgets. Smaller ownership groups and independent hotels, however, are typically operating with leaner teams and fewer resources—making the challenge more complex, but no less critical.
“In the past, smaller operators didn’t really view themselves as targets,” said Brian Madsen, VP, cybersecurity, MP Technology. “What we’re seeing now is that smaller hotels are actually becoming prime targets, just because they have smaller budgets for monitoring and controls.”
The shift in threat dynamics is largely driven by automation. Rather than targeting specific companies from the outset, attackers are increasingly scanning the landscape for vulnerabilities and exploiting whatever they find.
“Most attackers are using automated systems to go out and identify vulnerable systems,” Madsen said. “In many cases, they’re not even targeting a specific place until after they’ve found it.”
That approach puts smaller operators at a disadvantage. Without the same level of system monitoring, patch management or vendor oversight, gaps can emerge—and attackers are quick to find them.
“Attackers are looking for something that’s easy and profitable,” he said. “A smaller hotel may not represent as big of a payout as a global brand, but it’s often easier to get into, and they’re more likely to pay quickly if something like ransomware disrupts operations.”
Hotels, by their nature, also present an appealing target because of the type and concentration of data they hold.
“When you’re dealing with hotel customers, you’re dealing with a nicely packaged amount of information,” Madsen said. “It’s all in one place—credit cards, addresses, identification. That makes it very valuable.”
Spencer added that even seemingly minor data points can be combined to create a larger, more useful profile.
“Bits of data can compound into a bigger picture,” he said. “That’s why every piece of information needs to be handled carefully.”
If hotel data is the target, the front desk is often the entry point.
Both experts pointed to front-of-house teams as one of the most vulnerable areas in hotel operations—not because of negligence, but because of the nature of the role.
“They’re under a massive amount of pressure,” Spencer said. “Guests are arriving, phones are ringing, there are issues with rooms. They’re trying to keep everyone happy.”
At the same time, those employees often have broad system access to keep operations moving.
“They’re frequently given elevated privileges because they need to move quickly between systems, but that also makes them a prime target for phishing or social engineering,” he said.
Madsen noted that high turnover further increases risk.
“With positions that have high turnover, training and awareness tend to fall off,” he said. “You end up with someone who has direct access to the data attackers want but may not have the same level of training as a corporate employee.”
That combination—access, pressure and limited training—creates what he described as “a perfect storm” for attackers.
The rise of AI has significantly altered how cyberattacks are executed, making them harder to detect and easier to scale.
“We used to tell people to look for bad grammar or spelling mistakes,” Spencer said. “Now the emails are almost too good. AI can generate content that looks completely legitimate.”
More concerning, he said, is the shift toward longer-term, relationship-based attacks.
“They’re not always going for instant results anymore,” he said. “They can build trust over days or weeks, having conversations that seem genuine before introducing something malicious.”
Madsen emphasized that this evolution requires a shift in how employees evaluate potential threats. “It’s less about the content and more about the context,” he said. “Does the request make sense? Is it something you would normally see in your workflow?”
For example, an email from a senior executive may not seem unusual in a smaller organization—but the request itself could still be a red flag.
“In smaller companies, it’s not uncommon for leadership to reach out directly,” he said. “You have to look beyond the sender and ask whether the request is valid and expected.”
While external threats continue to evolve, internal data practices remain a significant source of vulnerability—particularly for smaller operators that may not have formalized policies in place.
“One of the biggest issues is over-collection,” Madsen said. “We’re gathering data that we may not actually need.”
That can include full birth dates, identification numbers or other details that increase risk without adding operational value. “If you don’t need it, don’t collect it,” he said. “Because once you have it, you’re responsible for protecting it.”
Storage practices can also introduce risk, especially when physical and digital processes overlap. “We still see paper registration cards, handwritten notes and photocopies of IDs,” he said. “What controls are in place for those? How are they stored and ultimately disposed of?”
Spencer pointed to a broader issue with data retention. “Organizations are very good at collecting and storing data, but not always at deleting it,” he said. “Digital storage makes it easy to just keep adding, but that increases your exposure over time.”
He stressed that data disposal is just as important as data protection. “If you don’t need it anymore, get rid of it,” he said. “But do it securely.”
Despite the range of available technologies, both experts consistently returned to one point: Training is the most effective and accessible way for smaller hotels to improve cybersecurity.
“I can’t underestimate the importance of training,” Spencer said. “Even simple awareness—understanding phishing, understanding how attacks are changing—can have a big impact.”
Madsen agreed, emphasizing that training should be ongoing rather than one-time.
Importantly, that training should reflect real-world scenarios, not just digital ones. “A lot of training focuses on email,” he said. “But in a hotel environment, you also need to prepare for phone calls and in-person interactions that could be part of a social engineering attack.”
Even small steps—such as reminding employees not to share passwords or leave sensitive information visible—can make a difference. “It sounds simple, but those are the things that still happen,” Spencer said.
No system is completely secure, which makes preparation just as important as prevention. Both experts stressed the need for even the smallest operators to have a basic incident response plan in place. “It doesn’t have to be complicated,” Madsen said. “But people need to know what to do and who to call if something happens.”
That clarity can significantly reduce response time and limit the impact of an attack. “The response time can be the difference between a minor issue and a major financial loss,” he said.
Spencer added that planning should include testing systems and processes to ensure they work as expected. “Backups are a good example,” he said. “If you’ve never tested them, you don’t know if they’ll actually work when you need them.”
For smaller hotel operators, cybersecurity can feel overwhelming—but both experts emphasized that meaningful improvements don’t require massive investments.
“If someone decides to do even one thing—like run a training session with their staff—that’s a positive step,” Spencer said.
As cyber threats continue to evolve, the message for smaller hotels is clear: They may not have the scale of global brands, but they face many of the same risks.
“Attackers are looking for what’s easiest,” Madsen said. “The goal is to make sure you’re not the easiest target.”
