Many of the largest hospitality organizations operate on a global scale. While guest demands remain relatively constant across regions, cyberthreats and defensive capabilities can vary significantly.
Trustwave SpiderLabs recently released the 2025 Trustwave Risk Radar Report: Hospitality Sector, providing updated insights and strategies to enhance data security across the industry. However, it’s especially useful to analyze the regional differences in cyber risks and how organizations are responding.
Focus on the UK: Cybersecurity Challenges and Progress
When it comes to the UK, Ed Williams, Trustwave’s EMEA Director of SpiderLabs, noted that hospitality providers often struggle to comply with government regulations. Smaller venues in particular frequently lack cybersecurity and resilience capabilities.
The good news, according to Williams, is that UK hospitality businesses are increasingly prioritizing cybersecurity, with 72% of them considering it a high priority. However, only 22% of organizations have board members specifically assigned to oversee security—indicating a concerning lack of preparedness in the face of growing cyber risks.
Compliance Irregularities
Williams pointed to ongoing gaps in compliance with key regulations, including the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Network and Information Systems (NIS) Directive, and the Product Security and Telecommunications Infrastructure (PSTI) regulation.
These gaps are largely due to resource constraints, a shortage of cybersecurity expertise, and the complexity of regulatory frameworks. As a result, organizations are more vulnerable to attacks—similar to those that have recently hit the retail sector—especially in areas like supply chain weaknesses and phishing attacks.
Addressing these issues, Williams said, requires tailored guidance, financial incentives, and a clearer regulatory scope that aligns with the hospitality sector’s specific realities.
The SME Problem: Small Operators at Risk
Training isn’t just an issue for large corporations—it’s a serious challenge for smaller venues as well.
According to Williams, small hospitality operators often make key cybersecurity missteps. These include neglecting staff training, relying on outdated systems, failing to segment networks, depending too heavily on third-party vendors, using weak access controls, lacking incident response plans, and ignoring IoT and guest Wi-Fi security. Many also underestimate compliance requirements.
Cybercriminals value the data in point-of-sale (POS) systems, online booking platforms, and guest Wi-Fi networks. These systems store rich customer data and are often vulnerable due to their reliance on interconnected infrastructure and outdated technologies.
These vulnerabilities—again tied to limited resources and expertise—mirror those seen in retail breaches. This makes small and medium-sized enterprises (SMEs) especially vulnerable to phishing, ransomware, and third-party/vendor compromises.
Williams emphasized that tailored guidance and affordable, practical measures could significantly reduce these risks.
Where Retail and Hospitality Overlap
The recent cyberattacks on UK retailers such as Harrods, Marks & Spencer, and Co-op in April and May 2025 highlight vulnerabilities that could just as easily impact hospitality organizations—depending on how well they’re prepared.
Although the retail and hospitality sectors share characteristics that make them appealing to threat actors, hospitality faces additional challenges that may increase its exposure in specific situations.
Key security risks for UK hospitality in the coming years include:
- Unsecured IoT Devices: Smart locks and kiosks are vulnerable to ransomware and other attacks due to weak encryption and unpatched systems (60% lack basic security, NCSC 2025).
- AI-Driven Phishing: Advanced phishing campaigns targeting staff are made worse by high turnover and limited training (only 22% of staff are trained, 2024 UK Cyber Survey).
- Supply Chain Attacks: Breaches of third-party platforms, like the 2023 Otelier incident, remain a concern (only 15% of venues vet vendors, NCSC 2024).
- Ransomware Surge: Disruptive ransomware attacks—like the 2023 MGM breach—continue to threaten SMEs with inadequate incident response plans (60% are unprepared, 2024 UK Cyber Survey).
- Regulatory Pressure: Tightened enforcement of GDPR, PCI DSS, and PSTI creates hurdles for SMEs with limited resources (only 59% GDPR-compliant, 2024 UK Hospitality Taskforce).
- Guest Wi-Fi/App Risks: Poorly secured guest-facing apps and networks are common entry points for attackers (50% use outdated encryption, NCSC 2025).
Asset Management: The Priority for Limited Resources
If an organization has limited financial or technical capacity and must prioritize just one area, Williams recommends focusing on asset management.
Asset management is critical for UK hospitality businesses because it helps operators identify, track, and secure digital assets—such as POS systems, booking platforms, IoT devices, and guest Wi-Fi. This visibility reduces vulnerabilities and allows faster responses to incidents.
Without proper asset management, unmonitored or outdated systems become easy targets—especially for attacks like ransomware and phishing, which frequently exploit the 60% of unsecured IoT devices and 65% of unpatched systems in hospitality (NCSC 2025, Trustwave 2023).
Additionally, asset management supports compliance efforts with GDPR and PCI DSS, helping organizations avoid regulatory penalties. For example, Marriott’s 2018 breach resulted in a fine of £18.4 million.
For SMEs with limited resources, establishing asset inventories and keeping systems updated is a cost-effective way to defend against breaches that could otherwise cost an average of £250,000.
The combination of rapid tech adoption, evolving cyberthreats, and SME constraints magnifies risk in the hospitality sector. The 2025 retail breaches reveal many of the same vulnerabilities—especially in phishing and supply chains.
For small operators, the path forward lies in affordable tools, better training, and guidance tailored to their specific challenges.
