Trustwave Corporation

06/11/2025 | Press release | Distributed by Public on 06/11/2025 07:04

Cybersecurity in UK Hospitality: Navigating Compliance, Threats, and Resource Constraints

  • Home
  • Resources
  • Trustwave Blog

Cybersecurity in UK Hospitality: Navigating Compliance, Threats, and Resource Constraints

June 11, 2025 3 Minute Read by Ed Williams

Many of the largest hospitality organizations operate on a global scale. While guest demands remain relatively constant across regions, cyberthreats and defensive capabilities can vary significantly.

Trustwave SpiderLabs recently released the 2025 Trustwave Risk Radar Report: Hospitality Sector, providing updated insights and strategies to enhance data security across the industry. However, it's especially useful to analyze the regional differences in cyber risks and how organizations are responding.

Focus on the UK: Cybersecurity Challenges and Progress

When it comes to the UK, Ed Williams, Trustwave's EMEA Director of SpiderLabs, noted that hospitality providers often struggle to comply with government regulations. Smaller venues in particular frequently lack cybersecurity and resilience capabilities.

The good news, according to Williams, is that UK hospitality businesses are increasingly prioritizing cybersecurity, with 72% of them considering it a high priority. However, only 22% of organizations have board members specifically assigned to oversee security-indicating a concerning lack of preparedness in the face of growing cyber risks.

Compliance Irregularities

Williams pointed to ongoing gaps in compliance with key regulations, including the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Network and Information Systems (NIS) Directive, and the Product Security and Telecommunications Infrastructure (PSTI) regulation.

These gaps are largely due to resource constraints, a shortage of cybersecurity expertise, and the complexity of regulatory frameworks. As a result, organizations are more vulnerable to attacks-similar to those that have recently hit the retail sector-especially in areas like supply chain weaknesses and phishing attacks.

Addressing these issues, Williams said, requires tailored guidance, financial incentives, and a clearer regulatory scope that aligns with the hospitality sector's specific realities.

The SME Problem: Small Operators at Risk

Training isn't just an issue for large corporations-it's a serious challenge for smaller venues as well.

According to Williams, small hospitality operators often make key cybersecurity missteps. These include neglecting staff training, relying on outdated systems, failing to segment networks, depending too heavily on third-party vendors, using weak access controls, lacking incident response plans, and ignoring IoT and guest Wi-Fi security. Many also underestimate compliance requirements.

Cybercriminals value the data in point-of-sale (POS) systems, online booking platforms, and guest Wi-Fi networks. These systems store rich customer data and are often vulnerable due to their reliance on interconnected infrastructure and outdated technologies.

These vulnerabilities-again tied to limited resources and expertise-mirror those seen in retail breaches. This makes small and medium-sized enterprises (SMEs) especially vulnerable to phishing, ransomware, and third-party/vendor compromises.

Williams emphasized that tailored guidance and affordable, practical measures could significantly reduce these risks.

Safeguard your hospitality business operations with Trustwave Solutions.

Learn More

Where Retail and Hospitality Overlap

The recent cyberattacks on UK retailers such as Harrods, Marks & Spencer, and Co-op in April and May 2025 highlight vulnerabilities that could just as easily impact hospitality organizations-depending on how well they're prepared.

Although the retail and hospitality sectors share characteristics that make them appealing to threat actors, hospitality faces additional challenges that may increase its exposure in specific situations.

Key security risks for UK hospitality in the coming years include:

  • Unsecured IoT Devices: Smart locks and kiosks are vulnerable to ransomware and other attacks due to weak encryption and unpatched systems (60% lack basic security, NCSC 2025).
  • AI-Driven Phishing: Advanced phishing campaigns targeting staff are made worse by high turnover and limited training (only 22% of staff are trained, 2024 UK Cyber Survey).
  • Supply Chain Attacks: Breaches of third-party platforms, like the 2023 Otelier incident, remain a concern (only 15% of venues vet vendors, NCSC 2024).
  • Ransomware Surge: Disruptive ransomware attacks-like the 2023 MGM breach-continue to threaten SMEs with inadequate incident response plans (60% are unprepared, 2024 UK Cyber Survey).
  • Regulatory Pressure: Tightened enforcement of GDPR, PCI DSS, and PSTI creates hurdles for SMEs with limited resources (only 59% GDPR-compliant, 2024 UK Hospitality Taskforce).
  • Guest Wi-Fi/App Risks: Poorly secured guest-facing apps and networks are common entry points for attackers (50% use outdated encryption, NCSC 2025).

Asset Management: The Priority for Limited Resources

If an organization has limited financial or technical capacity and must prioritize just one area, Williams recommends focusing on asset management.

Asset management is critical for UK hospitality businesses because it helps operators identify, track, and secure digital assets-such as POS systems, booking platforms, IoT devices, and guest Wi-Fi. This visibility reduces vulnerabilities and allows faster responses to incidents.

Without proper asset management, unmonitored or outdated systems become easy targets-especially for attacks like ransomware and phishing, which frequently exploit the 60% of unsecured IoT devices and 65% of unpatched systems in hospitality (NCSC 2025, Trustwave 2023).

Additionally, asset management supports compliance efforts with GDPR and PCI DSS, helping organizations avoid regulatory penalties. For example, Marriott's 2018 breach resulted in a fine of £18.4 million.

For SMEs with limited resources, establishing asset inventories and keeping systems updated is a cost-effective way to defend against breaches that could otherwise cost an average of £250,000.

The combination of rapid tech adoption, evolving cyberthreats, and SME constraints magnifies risk in the hospitality sector. The 2025 retail breaches reveal many of the same vulnerabilities-especially in phishing and supply chains.

For small operators, the path forward lies in affordable tools, better training, and guidance tailored to their specific challenges.

Share:
Copy Link Link Copied
v2LinkedIn
X
Facebook

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from Trustwave.

Stay Informed:

Subscribe

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from Trustwave.

RESEARCH REPORT

2025 Trustwave Risk Radar Report: Hospitality Sector

WEBINAR

How Cybercriminals Are Checking In and Cashing Out

About the Author

Ed Williams is VP, SpiderLabs at Trustwave, with over 10 years of experience directly focused on penetration testing and consultancy for Government and private sector organizations. Follow Ed on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Tips & Tricks Vulnerabilities Data Breach

Latest Intelligence

Government Data Breaches Are Eroding Public Trust - It's Time for Stronger Cybersecurity in the Public Sector
MDR vs SIEM: Which is Right for Your Organization?
Using Password 123456 is Bad, but No Password is Worse
Trustwave Corporation published this content on June 11, 2025, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on June 11, 2025 at 13:04 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at support@pubt.io