Security-First Culture: Defending Against Social Engineering

Highlights

*Preventing social engineering requires blending traditional controls with a security culture.

*Hoteliers must address staff’s inherent cybersecurity behaviors to build a multi-layered defense.

*Shortages of security professional shortages require an organisational approach.

Introduction

Safeguarding hospitality from the rise of social engineering attacks requires a comprehensive, multi-layered approach.

At the heart of this strategy is building a culture of security awareness, where staff are equipped to recognize and counter the psychological manipulation tactics cybercriminals are increasingly using to breach systems and steal data.

While the solution seems simple, the reality is much more complex. Knowledge alone doesn’t always translate into action—encouraging cyber-secure behaviors among staff can be challenging, especially when security teams are already stretched thin.

In this week’s feature of the VENZA Echo, we conclude our three-part series on the growing social engineering threat, focusing on protection strategies and the challenges hoteliers face in implementing a robust, multi-pronged defense.

Culture

As outlined in the first installment of this series, clear steps can be taken to mitigate the risks of social engineering. These include training, implementing strict policies and procedures, and enforcing role-based access controls.

While generally effective, the success of these actions relies upon an organisation’s shared focus on cybersecurity. A strong culture shapes behavior: from top leadership to front-line staff, fostering security awareness ensures everyone plays a role in protection.

Without a solid security foundation, employee attitudes and behaviors toward cybersecurity can vary widely. Some may take it seriously, while others may see it as a burden—and, this inconsistency can create gaps in defense.

Training & Behaviors

Employee training is undeniably a cornerstone of building a strong security culture. Studies show that it can reduce phishing susceptibility by 80% within the first year. Organisations with high employee training engagement saw breach-related costs decrease by nearly $1 million in 2023.

Credit: IBM

However, training alone cannot completely prevent employees from engaging in risky online behaviors.

For one, only 53% of organisations provide security awareness training to all employees.

Another reason is behavioral: studies show that 71% of users admitted to “risky” actions like reusing passwords or clicking suspicious links, with 58% engaging in behaviors that expose them to social engineering tactics. Alarmingly, 96% of those users did so knowingly.  

Why? The most common reason is convenience.

This trend is highlighted in the National Cybersecurity Alliance’s 2024-2025 Annual Cybersecurity Attitudes and Behaviors Report, which found that 46% of participants, spanning all age groups, described staying safe online as “frustrating.”

Everyone has experienced the frustration of forgetting a unique password or dealing with the added inconvenience of multi-factor authentication. While security professionals view these measures as essential, many employees see them as just another task in their already busy day. This difference in perspective highlights one of many behavioral discrepancies between security professionals and end-users.

Diverging Attitudes

Security professionals are naturally more aware of the wide range of threats and devastating impacts of cybercrime. While many employees are also aware of these risks, there’s often a disconnect regarding responsibility.

Studies show that 85% of security professionals believe end-users understand their role in protecting their organisation’s security, yet 59% of users reported they were unsure or didn’t feel responsible at all.

Another major disconnect lies in how security professionals believe security should be cultivated within an organisation. They largely believe that increased training, stricter controls, and better alignment of security initiatives with business goals will significantly improve security culture and, by extension, the organisation’s defenses.

On the other hand, users emphasize the need for more user-friendly processes, better rewards, and clearer communication from security teams. In fact, 94% think that simplifying security measures would increase their attentiveness.

Creating more user-friendly security initiatives is challenging, especially amid security staffing shortages.

Security Staffing Shortages

As threats and data privacy challenges increase, the demand for cybersecurity professionals is growing faster than the available talent. Despite a 10% increase in the global cybersecurity workforce, the shortage has expanded and now nears a shortfall of 4 million employees.

Credit: ISC2

Over 58% of cybersecurity professionals now report staff shortages in their organisations, complicating efforts to prevent and manage security issues. Compounding this, 74% of these professionals say the current threat landscape is the worst they’ve encountered in the past five years.

Another challenge is the growing skills shortage among cybersecurity professionals. In fact, 90% of those surveyed report a lack of necessary skills within their organisations. More concerning, 64% of respondents consider the skills gap a greater issue than the shortage of personnel itself.

Given the increasing skills gap, personnel shortages, and an ever-worsening threat landscape it’s no surprise that job satisfaction among cybersecurity professionals has been on a steady decline since 2022.

Fostering a Security Culture in Hospitality

In addition to challenges like behavioral attitudes and staffing shortages, hoteliers face unique obstacles.

As noted in our first installment of this series, hospitality is particularly vulnerable to social engineering attacks. High employee turnover, 24/7 operations, and a “guest service” mentality make staff more vulnerable to cybercriminal’s psychological manipulation.

Changing behavior requires a cultural shift. To address these challenges, hoteliers must adopt a multi-pronged approach that extends beyond training and security protocols alone. 

Several key steps can help achieve this:

1. Executive Support

IT professionals alone cannot drive security initiatives alone. Executive leadership and stakeholders, as the key influencers of organisational culture, must champion security efforts to drive meaningful change.

CEOs should take an active, vocal role in promoting security as a business enabler—showing how strong security practices protect guests, ensure compliance, and prevent costly breaches.

When leadership prioritizes security, it cascades through all levels of the organisation, fostering widespread support for security initiatives.

2. Open Dialogue

Clear, ongoing communication between security teams and staff is key to bridging the gap between expectations and daily practices.

While executives may grasp cybersecurity risks, many frontline workers may lack that awareness. Instead of simply explaining threats, it’s more effective to provide context and explain the stakes in ways that are relevant to their roles.

Incorporate cybersecurity into pre-shift or monthly meetings and use roleplay exercises to demonstrate scenarios.

3. Security Procedures

Conducting a comprehensive review of policies and procedures is crucial. This involves assessing checklists and processes to ensure alignment with data security best practices.

To update property-specific processes, work with General Managers to adjust employee checklists to better align with data security practices. For example, adding a task like ‘USB port inspection in guest rooms’ to the housekeeping checklist can help improve device security. Similarly, for the front desk, include a checkbox for logging out or locking computers before stepping away or leaving for the day.

These small changes can significantly enhance security awareness and add a layer of accountability.

4. Bolster Security Year-Long

Training should be an ongoing, engaging process—not just a one-time, check-the-box activity.

However, this doesn’t mean repetitive training sessions.  

Microlearning, like VENZA’s Rocky’s Learning Corner email templates, offers quick, impactful lessons, while breakroom posters reinforce core topics. Simulated phishing and vishing attacks provide real-time learning and help identify staff suspensibility.

Brief mid-year refreshers ensure employees stay updated on evolving threats without feeling overwhelmed, maintaining consistent vigilance and preparedness.

5. Accountability and Recognition

Fostering a sense of ownership over security at all levels is essential for a security culture resilient to social engineering.

Accountability should be reinforced through recognition and rewards for proactive behaviors, such as reporting phishing attempts or suggesting protocol improvements. Offering rewards like free room nights to employees who champion security practices encourage engagement. Additionally, hosting creative contests or quick quizzes with prizes keeps security top-of-mind.

Conclusion

Combatting social engineering attacks requires a comprehensive, multilayered approach that permeates the entire organisation. Pairing a security-first mindset with established measures like access controls and multifactor authentication helps hoteliers maintain proactive security awareness across all staff.

Feeling overwhelmed? Don’t worry. As the leading experts in hospitality data protection, VENZA offers tailored training and simulated social engineering attacks to assess and strengthen your defenses, providing 360-degree protection for your hotel.

Ready to get started? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.

***

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Human Firewall

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

***

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.