06/11/2025 | Press release | Distributed by Public on 06/11/2025 07:04
Many of the largest hospitality organizations operate on a global scale. While guest demands remain relatively constant across regions, cyberthreats and defensive capabilities can vary significantly.
Trustwave SpiderLabs recently released the 2025 Trustwave Risk Radar Report: Hospitality Sector, providing updated insights and strategies to enhance data security across the industry. However, it's especially useful to analyze the regional differences in cyber risks and how organizations are responding.
When it comes to the UK, Ed Williams, Trustwave's EMEA Director of SpiderLabs, noted that hospitality providers often struggle to comply with government regulations. Smaller venues in particular frequently lack cybersecurity and resilience capabilities.
The good news, according to Williams, is that UK hospitality businesses are increasingly prioritizing cybersecurity, with 72% of them considering it a high priority. However, only 22% of organizations have board members specifically assigned to oversee security-indicating a concerning lack of preparedness in the face of growing cyber risks.
Williams pointed to ongoing gaps in compliance with key regulations, including the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Network and Information Systems (NIS) Directive, and the Product Security and Telecommunications Infrastructure (PSTI) regulation.
These gaps are largely due to resource constraints, a shortage of cybersecurity expertise, and the complexity of regulatory frameworks. As a result, organizations are more vulnerable to attacks-similar to those that have recently hit the retail sector-especially in areas like supply chain weaknesses and phishing attacks.
Addressing these issues, Williams said, requires tailored guidance, financial incentives, and a clearer regulatory scope that aligns with the hospitality sector's specific realities.
Training isn't just an issue for large corporations-it's a serious challenge for smaller venues as well.
According to Williams, small hospitality operators often make key cybersecurity missteps. These include neglecting staff training, relying on outdated systems, failing to segment networks, depending too heavily on third-party vendors, using weak access controls, lacking incident response plans, and ignoring IoT and guest Wi-Fi security. Many also underestimate compliance requirements.
Cybercriminals value the data in point-of-sale (POS) systems, online booking platforms, and guest Wi-Fi networks. These systems store rich customer data and are often vulnerable due to their reliance on interconnected infrastructure and outdated technologies.
These vulnerabilities-again tied to limited resources and expertise-mirror those seen in retail breaches. This makes small and medium-sized enterprises (SMEs) especially vulnerable to phishing, ransomware, and third-party/vendor compromises.
Williams emphasized that tailored guidance and affordable, practical measures could significantly reduce these risks.
The recent cyberattacks on UK retailers such as Harrods, Marks & Spencer, and Co-op in April and May 2025 highlight vulnerabilities that could just as easily impact hospitality organizations-depending on how well they're prepared.
Although the retail and hospitality sectors share characteristics that make them appealing to threat actors, hospitality faces additional challenges that may increase its exposure in specific situations.
Key security risks for UK hospitality in the coming years include:
If an organization has limited financial or technical capacity and must prioritize just one area, Williams recommends focusing on asset management.
Asset management is critical for UK hospitality businesses because it helps operators identify, track, and secure digital assets-such as POS systems, booking platforms, IoT devices, and guest Wi-Fi. This visibility reduces vulnerabilities and allows faster responses to incidents.
Without proper asset management, unmonitored or outdated systems become easy targets-especially for attacks like ransomware and phishing, which frequently exploit the 60% of unsecured IoT devices and 65% of unpatched systems in hospitality (NCSC 2025, Trustwave 2023).
Additionally, asset management supports compliance efforts with GDPR and PCI DSS, helping organizations avoid regulatory penalties. For example, Marriott's 2018 breach resulted in a fine of £18.4 million.
For SMEs with limited resources, establishing asset inventories and keeping systems updated is a cost-effective way to defend against breaches that could otherwise cost an average of £250,000.
The combination of rapid tech adoption, evolving cyberthreats, and SME constraints magnifies risk in the hospitality sector. The 2025 retail breaches reveal many of the same vulnerabilities-especially in phishing and supply chains.
For small operators, the path forward lies in affordable tools, better training, and guidance tailored to their specific challenges.
Sign up to receive the latest security news and trends straight to your inbox from Trustwave.
Stay Informed:
Sign up to receive the latest security news and trends straight to your inbox from Trustwave.
Ed Williams is VP, SpiderLabs at Trustwave, with over 10 years of experience directly focused on penetration testing and consultancy for Government and private sector organizations. Follow Ed on LinkedIn.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.