Business Continuity Plans: Enhance Cybersecurity in the Hospitality Industry

Written By: Evita Ma

With countless cyberattacks occurring in recent years, cybersecurity has become an unseparated concern during daily operation. To protect the business from incident influence, a continuity plan that integrates cybersecurity must be designed and well-implemented for hotels, restaurants and clubs. A business continuity plan life cycle normally includes:

Business impact analysis and risk assessment are conducted during the analysis period. Business impact analysis (BIA) identifies the critical business functions (e.g. accommodations and associated service for hotels), the potential impact of business disruptions, and the legal and regulatory requirements for business functions and processes. Based on BIA assumptions, detect the threat scenarios such as natural, technical and human induced incidents. Cybersecurity is related to technical and human induced disaster, including data, utility, intentional and accidental incidents. The ISO 27000 Information Security series of standards provide a guideline to assess the information security-related risks — for example, data loss, unauthorized access, and DDoS attacks.

There are different tools and software available to assess the risk. For example, ISF IRAM2 has six phases of risk management. From scoping, business impact assessment, threat profiling, vulnerability assessment, risk evaluation to risk treatment, it provides a structured and practical approach to assess risk and help make business decisions. To profile the risk, we need to clarify five aspects including business environment, intended target, threat actors, resilience and legislation, which help determine the risk appetite and implement relevant measures.

Source: IRAM2- Managing information risk is a business essential. ISF: Information Security Forum. (

According to FFIEC Cybersecurity Assessment Tool, cybersecurity risk can be categorized by the following:

  • Technologies and connection types
  • Delivery channels
  • Online/mobile products and technology services
  • Organizational characteristics
  • External threats

The risk level can range from least to most, as shown in the following table:

Source: FFIEC Cybersecurity Assessment Tool (2015)

Under comprehensive analysis, a solution to each scenario should be designed accordingly. “ISO 22301 Societal Security — Business Continuity Management Systems — Requirements” is the business continuity management standard, providing a framework from international best practice (Figure 2 below).

Figure 2 Conceptual overview of main cyber response components

Testing and monitoring is necessary to ensure the proposed business continuity plan work efficiently and effectively. Develop an enterprise-wide testing program including scenario simulation and response, find out if there is anything can be improved in the process, and revise the plan if necessary.

Implementation and maintenance is the final step of business continuity plan, but is not the end. Business continuity plan should be adjusted over time since the risk scope will increase in terms of complexity, and the response plan should be monitored.

The overall goal of continuity planning is ultimately to train staff to be more thoughtful of cybersecurity. Save for IT professionals, relevant staff need to be aware of potential attacks and remedy measures. Continuity planning will enhance the effective communication between employees, guests and stakeholders, as well as reduce the impact if and when an attack has occurred.

Evita Ma is the executive director at the HFTP Asia Research Center. Contact Evita at or +1 (512) 220-4039.

You May Also Like

About the Author: Contributor