From employee training to insurance: Essential cyber security strategies for your Canadian hospitality business

Acera Insurance’s Rachela Pollock outlines the cyber risks facing Canadian hospitality businesses, such as hotels and lodges, which use online booking platforms. She provides practical risk management strategies that include employee training, vendor vetting and cyber liability insurance to protect businesses and client data.

In today’s digital age, online booking platforms have become a daily part of life. We use them for everything from dinner reservations to planning your holiday on the other side of the world – often entering sensitive personal information without a second thought.

This can make businesses in the hospitality sector a prime target for cyber criminals, with cyber risks continuing to be a growing concern for commercial businesses. Acera Insurance’s Rachela Pollock, Client Executive, Commercial Insurance, provides her expert insights into how you can keep your business and clients’ data safe in our current cyber landscape.

Cyber threats facing Canadian hospitality online reservation systems

What would happen if a series of guests turned up to your hotel with emails confirming reservations that don’t exist in your online booking system?

Unfortunately, this can be something that members of the hospitality community have to deal with as fake booking sites and website duplication scams continue to target guests and businesses.

“Fake booking sites are a big threat – guests pay, but no reservation exists.”
 – Rachela Pollock

Some of the most commons cybersecurity threats can include:

Phishing emails where scammers will send fake emails to employees and customers pretending to represent your business to trick them into providing sensitive information such as their login information.

Malware infections typically go together with phishing emails by using malicious software to access your system to spy on activity, steal data and instal ransomware.

Ransomware attacks that hijack your booking system and the hacker demands money to unlock it.

Data breaches
from weak security protocols that enable cyber criminals to steal client information, which can include names, banking information and emails.

Distributed denial-of-service (DDoS) attacks that aim to crash your site by flooding it with fake traffic so that clients can’t book anything.

Real-world cyber attack example: Payment card skimming

A lodge had their systems hacked and infected with malware installed through their reservations system on their website. The malware gained access to their processing system and added an extra five cents to $2 per every transaction that the lodge processed. By the time they realized all these extra transactions had taken place, almost $15,000 had been stolen.

Proactive cyber risk management for hotels, campgrounds and resorts

There are several steps that you can take to help protect your business from cybersecurity risks:

• Implement technical controls such as multi-factor authentication, secure password practices and secure data store.
• Conduct regular security audits and annual reviews with cybersecurity professionals.
• Assess the risks of in-house vs. third-party booking systems.

1. How do you protect the data you collect, process and store?
2. Can you describe your incident response plan?
3. How do you ensure your systems are up to date?
4. Have you experienced any data breaches or security incidents in the past 12 months?

Employee cyber security training for hospitality businesses

To help mitigate your cyber risks, you need to educate your employees about how to identify potential scammers and how to respond to a breach.

“Annual cybersecurity reviews help spot weak points before data leaks happen.”
– Rachela Pollock

Ongoing employee training that includes phishing simulations, regular audits of your systems and incident response drills need to be a part of your risk management strategies.

Best Practices for staff include:

• Regular phishing tests and training
• Providing procedures to verify suspicious communications
• Drafting clear disclaimers for staff and guests about the type of information that will be collected through your booking systems and how payment will be processed

You also need to be continuously monitoring your systems for any threat detection. If you don’t have someone with the skills to do this role, consider investing in an IT security company to do regular analysis for you. Early alerts can help prevent or mitigate a breach and minimize the chances of an insurance claim.

Cyber liability insurance for Canadian hospitality businesses

A cyber breach can have a deep impact on your business. For example, a hotel recently had a cyber attack where the criminals hacked into their systems and shut down every key card in the hotel so customers couldn’t get into or leave their rooms. The criminals demanded a ransom to unfreeze the system.

Investing in cyber liability insurance is crucial for helping to support your risk management strategies. Most traditional commercial insurance policies only protect physical assets. In case of a cyber claim, you may not be covered.

“Treat your cyber insurance as part of your team. It’s key to keeping your business safe.”
– Rachela Pollock

Acera Insurance risk advisors can work alongside your cybersecurity staff to find gaps and build a strategy that helps keep your business, staff and clients safe. Cyber liability insurance is designed to protect your business from:

• Business interruption
• Financial loss
• Data loss
• Cyber extortion
• Reputation recovery
• Legal expenses

What many businesses overlook is that their cyber insurance policy limit applies to all types of coverage combined. For example, if you have a $1-million policy and lose $200,000 to a phishing scam, you only have $800,000 left for other claims. It’s important to assess your risks and ensure your coverage limit is sufficient.

Additionally, businesses often overlook contingent business interruption coverage, which protects you if a third-party booking platform is attacked and you lose revenue as a result.

Protecting your hospitality business from cyber risks

Managing risks with third-party online booking systems is key to preventing data breaches. This can be done through regular system maintenance, staff education, working with a cybersecurity expert and the right insurance coverage.

With strong policies and guidance, you can offer your customers a secure experience from booking to check-out.

FAQ’s

With over 20 years of experience in sales, management and relationship-building, Rachela specializes in risk management for the tourism and hospitality sector at Acera insurance. From resorts and remote lodges to marine operations; her team partners with businesses and provincial and national associations to implement proactive risk management strategies while navigating specialized insurance markets including cyber.

Related reading:

• Managing insurance and risks for your hospitality business in 2025
• 5 Phishing Scams Targeting Canadians | Acera Insurance
• Insurance, bylaws & communication for strata corporations

Information and services provided by Acera Insurance, Acera Benefits and any other tradename and/or subsidiary or affiliate of Acera Insurance Services Ltd. (“Acera”), should not be considered legal, tax, or financial advice. While we strive to provide accurate and up-to-date information, we recommend consulting a qualified financial planner, lawyer, accountant, tax advisor or other professional for advice specific to your situation. Tax, employment, pension, disability and investment laws and regulations vary by jurisdiction and are subject to change. Acera is not responsible for any decisions made based on the information provided.