Why Is Hotel Website Security So Bad?

13 January 2017 / By Jase Rodley
Why Is Hotel Website Security So Bad?

Competition amongst hotels (and OTAs) for prospective guests online is at an all time high. There is no shortage of opportunities for travelers to book a hotel online.

While this online competition from OTAs and hotels is at an all time high, consumer internet trust is at an all time low. Some 59% of internet users “would likely not do business with a company which had suffered a data breach”.

It comes as a surprise to me then, that while so many hotels go out of their way to keep their guest safe during their stay, they aren’t doing the same for guests browsing the hotel’s website. These hotels are encouraging guests to book elsewhere, by making a very public display of laziness when it comes to their hotel’s website security.

In this post I outline what website security is, the uptake of this security in the small, luxury and boutique hotels sector, and the reasons why every hotel should be securing their entire website.

The Humble Security (SSL) Certificate

SSL certificates encrypt information sent from your hotel’s website and back to the user. This encryption ensures that no one but these two “end points” (the guest, and your hotel’s website) are able to understand the messages being sent back and forth.

When a secure connection is made to a website, the URL of the website will no longer begin with http://, but rather https://. A small green padlock is added to the address bar of the guest’s browser. This is a show of website authenticity and creates trust with your potential guest.

When SSL certificates first came into the mainstream for use on websites, they were used sparingly, usually only on the payment section of the site. Times have now changed. Users are getting savvier, payment processors are getting stricter, and search engines are encouraging a safer internet.

89% of Hotel Websites Don’t Use HTTPS

When I thought about this topic, I thought I’d check out websites of hotels that we don’t work with. The first few sites I visited directly weren’t secure, despite having beautiful (and presumably expensive) designs. Never one to do something half way, it was clear some data collection was in order.

As I was most interested in boutique, luxury and often independently owned hotels, I used the collections and lists publicly available on BLLA, Design Hotels, Fine Individual Hotels, HIP HotelsMr & Mrs Smith and Small Luxury Hotels.

With a list of hotel names, I could generate a list of their website URLs and from here I could test – on scale – which hotel websites had HTTPS and which didn’t.

I expected the industry to be behind on its uptake of website security but didn’t ever think it would be this bad. After testing over 1000 websites, only 11% of these hotels were set up to use HTTPS!

Why Should My Hotel Website Use HTTPS?

While all of this may sound very technical, it can be easily summarized: an unsecure website is costing your hotel direct bookings and lost revenue.

There’s usually a grace period with technology like this where businesses can get away with dragging their heels, but this time is well and truly over, and failing to adapt is having a very real impact on many businesses.

So let’s look at some of the reasons why you should make sure your hotel website is secure…

Google Loves Secure Websites

Way back in 2014, Google let the public know that they were beginning to give higher priority to HTTPS enabled websites. It’s what we in the Search Engine Optimization world call a ranking factor. Savvy hotel website owners and hotel SEOs jumped on board quickly, using HTTPS across their whole website, and have been reaping the rewards since, as Google have increasingly given preference to these sites configured in this way.

Essentially, websites that Google consider secure will rank higher in unpaid search results, bringing more guests to these sites. Secure sites get more opportunities to generate reservations, while unsecure sites have been getting less and less opportunities since 2014.

Guests Trust Secure Hotel Websites

Website security is a huge contributor to user trust.

Website security is a huge contributor to user trust. Source: GlobalSign

As internet users become more aware of their security online, the importance of a secure website grows. In a survey of internet users carried out by GlobalSign in November 2014, 84% of users said they would abandon a purchase if data was sent over a connection that was not secured.

In a time when hotels and OTAs are battling for bookings, every small competitive edge counts. Of course, all of the OTAs are currently using SSL certificates on their site, so if your site isn’t secure the advantage is theirs.

Browsers Are Beginning to Mark Websites as Not Secure

Starting in January 2017, Google Chrome is beginning to mark some HTTP websites “Not secure”. Following on from the trust section above, GlobalSign found that 28.9% of users look for the green address bar before trusting a website. Imagine how users will react when a red “Not secure” warning is displayed on your site.

Google Chrome Not Secure Website Warning

Google Chrome will begin marking websites as “Not secure” in January 2017. Source: Google Security Blog

Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS. – Google Security Blog

Firefox is following suit, and no doubt this will be the norm for all internet browsers before long.

Google Chrome will eventually mark all non-HTTPS enabled websites as "Not secure"

Google Chrome will eventually mark all non-HTTPS enabled websites as “Not secure”. Source: Google Security Blog

You Get More Analytics Data

Although hotel data analytics is an afterthought for many businesses, those that are using it correctly are again at an advantage over the competition. The better the data you collect, the clearer your picture on which marketing initiatives are giving you ROI.

When an HTTPS site sends a user to an HTTP site, for security reasons, Google Analytics can’t tell you where that user came from. This might not sound like a big deal, but it can really impact on the intelligence that your marketing team has.

Let’s say you gave 20 bloggers 5 free nights stay at your hotel in exchange for an article about your hotel and link to your website. Their sites are secure, but your hotel website isn’t. The week after these bloggers published their posts, your direct bookings are up 50%! Your marketing team says that they all came from “direct visitors” – people that have typed your hotel URL into their location bar. It seems very unlikely.

If your site was on HTTPS, you’d not only know that the extra direct bookings came from the blogging campaign, but they all came from 1 blogger! Clearly their audience is best suited to your hotel and is giving you the best ROI, so in future you could focus your marketing spend with this person.

Secure Websites Bring More Direct Bookings

It is clear that the internet is moving towards greater security. Although early adopters have beaten many hotels to the punch, with 89% of your competition are still using an unsecure website, improving your hotel website security is not only something that you will have to do eventually, it’s going to give you an advantage between now and then.

If you’re looking for more unpaid search engine traffic, greater trust from guests and more direct bookings as a result, you’d do well to improve your hotel’s website security today. Need some help? Contact us today to find out what is involved.

About The Author

Jase Rodley

Jase is a frequent traveler, digital marketer and mountain biker. His combined experience in IT systems, digital marketing and tourism has allowed him to help small and medium sized companies improve their branding online, see more direct bookings and increase profits.