When a Donegal hotel conducted a routine IT audit at the end of the summer season last year, the IT provider found eleven active user accounts belonging to staff who had left the business — some as far back as two seasons prior. Three of those accounts had been logged into within the previous thirty days, from IP addresses that could not be attributed to current staff. Whether those logins were benign or malicious, the hotel had no way to know. What it did know was that former employees had continued to have access to the property management system, the guest booking database, and the shared document folder for months after their employment had ended. It is one of the most common and preventable security failures in Irish seasonal hospitality businesses.
Why Seasonal Staff Create Specific Security Risk
Seasonal and temporary staff represent a distinct cybersecurity challenge for Irish tourism businesses. They join with limited onboarding time, often during the busiest operational periods when managers have the least bandwidth to run thorough inductions. They may not receive security training as part of their onboarding. They typically leave quickly at the end of the season, and offboarding — including the revocation of system access — is often handled informally if at all.
The NCSC Ireland has consistently highlighted insider threat, including accidental data exposure by temporary workers, as a significant risk category for Irish businesses handling personal data.[^1] The Data Protection Commission in Ireland has investigated multiple cases involving data breaches that originated from seasonal employee accounts — including cases where access was never revoked after departure and where former employees accessed guest or client data from outside the business.[^2]
The risk is not only from malicious intent. A seasonal member of staff who uses a weak or reused password, who clicks on a phishing email that arrives in their work inbox, or who uses a personal device to access booking systems creates real exposure for the business and its guests. And because seasonal contracts end without formal exit processes in many Irish hospitality businesses, the window for that exposure can extend far beyond the employment period.
Does your business have a written process for granting and revoking system access for seasonal staff, and can you confirm right now that all former seasonal employees have had their access removed? Book a free 20-minute strategy call — we will help you build a practical access control process that works even at the height of your busiest season.
The Three Risk Areas That Matter Most
Access management is the highest priority. Every seasonal employee should receive a unique, individual login account — never a shared account where it is impossible to trace which individual accessed what, or when. Accounts should be created with the minimum access required for the role: a summer receptionist does not need access to payroll records or the owner's email. Accounts should be time-limited where possible, expiring automatically at the end of the contracted period. And revocation must be a formal, documented step in the offboarding process — not something that happens when someone remembers.
Security awareness training is the second area. A basic security induction for seasonal staff should take no more than thirty minutes and should cover three things: how to recognise a phishing email, what not to do with guest or customer data, and who to contact if something seems wrong. An Garda Síochána's National Cyber Crime Bureau has noted that phishing emails targeting hotel staff — impersonating booking platforms, payment processors, and Revenue — have increased significantly in the Irish hospitality sector.[^3] Staff who have been shown examples of what these attacks look like are meaningfully less likely to click through.
Password policy is the third area. Seasonal staff should be required to use a unique password for their work account — not a personal password they use elsewhere, and not a variation on their name and the current year. The business should enforce this through the system rather than relying on individual compliance. Microsoft 365 and most property management systems support password complexity requirements that can be set once and applied to all accounts, including seasonal ones.
Building a Seasonal Access Lifecycle
The practical approach to seasonal staff security is to treat access as a lifecycle rather than a one-time event. At the start of each season, define the access profile for each role — what systems, what data, what permissions. Create accounts at onboarding with those specific permissions and no more. At the start of employment, spend thirty minutes on a basic security briefing and document that the briefing was completed.
During employment, include seasonal staff in any security awareness communications sent to the wider team. If a phishing campaign is circulating that targets hospitality businesses, seasonal staff need to know about it just as much as permanent staff do.
At the end of employment, the offboarding process must include explicit steps for disabling the account, removing access to shared folders, and recovering any company-issued devices. This should be a checklist, signed off by a manager, not an informal conversation that may or may not happen on the last day. The date of account deactivation should be documented and retained.
Quarterly — even outside the season — someone should review the full list of active accounts in your systems and verify that each one belongs to a current employee. This check takes less than an hour and will catch the kind of stale accounts that created the exposure in the Donegal hotel example at the start of this article.
What Compliance Requires
Under GDPR, Irish businesses are required to implement appropriate organisational measures to protect personal data. The Data Protection Commission has made clear that access control — including timely revocation of access — is an organisational measure, and that failure to revoke access after employment ends is a breach of the obligation to protect data. For a hotel or tourism business handling guest names, contact details, and payment information, this obligation applies directly to seasonal staff accounts.
NIS2 also applies to hospitality businesses above the relevant size thresholds and explicitly includes staff management and access control within its required cybersecurity measures. Even below those thresholds, the commercial and reputational consequences of a data breach involving former employee access are significant in a sector where trust and reputation directly affect booking rates.
Access control for seasonal staff is not a technical problem. It is a process problem, and processes are cheaper and faster to fix than the consequences of getting them wrong.
Three Actions to Take Before Your Next Season
1. Audit your current accounts now. Generate a list of all active user accounts in your email system, booking platform, and any other business system. Cross-reference against your current employee list. Deactivate any account that does not belong to a current employee. Do this today.
2. Write a one-page seasonal staff security checklist. It should cover: account creation on day one, thirty-minute security briefing on day one, password policy confirmation, and account deactivation on last day. Attach it to your seasonal employment contract template so it is used every time.
3. Enable multi-factor authentication on all work accounts. This applies to seasonal staff accounts as much as permanent ones. If a seasonal employee's credentials are stolen through phishing, MFA prevents the attacker from using those credentials to access your systems. Enabling it takes less than twenty minutes on Microsoft 365 and requires no additional cost.
Related Reading
- Physical Security Basics That Most Irish SMEs Overlook
- Building a Human Firewall: Security Awareness Training That Works
- Access Control and Least Privilege for Irish SMEs
[^1]: NCSC Ireland, cybersecurity guidance for organisations on insider risk and access management: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: Data Protection Commission, guidance on access control and personal data protection obligations: https://www.dataprotection.ie [^3]: An Garda Síochána, National Cyber Crime Bureau cybercrime resources: https://www.garda.ie/en/crime/cyber-crime/
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.