When a Donegal coastal hotel installed smart locks across sixty guest rooms in early 2024, the project went smoothly and guests responded positively — no more lost keycards, smoother check-in, and a modern impression that the property's marketing team highlighted in its listings. What the installation team did not do was change the default admin credentials on the lock management console, segment the smart device network from the main hotel systems, or review the data retention settings of the cloud platform managing the lock access logs. Eight months later, during a security review, an assessor found that the management console was accessible from the internet using credentials that had not been changed from the factory default, and that the access log data — including records of when every guest had entered and exited their room — was being stored on a cloud server with no data processing agreement in place. The hotel had deployed the technology. It had not secured it.
The Risk That Smart Devices Create
Smart home and IoT technology — connected locks, thermostats, cameras, speakers, and lighting — is transforming Irish hospitality. The guest experience benefits are real. So are the security risks, and they are less well understood than the marketing benefits.
Every connected device is a potential entry point into your network. A smart thermostat that uses a default password, a camera that sends footage to a poorly-secured cloud account, or a smart speaker that records ambient audio and transmits it to an external server — each of these creates an exposure that did not exist before the device was installed. The NCSC Ireland includes IoT device security in its published guidance for organisations, noting that connected devices are frequently targeted by attackers specifically because they are often deployed without the same security hygiene applied to laptops and servers.[^1]
The risk is not primarily that an attacker will manipulate your thermostat. It is that a compromised smart device provides a foothold on your network from which an attacker can reach your booking system, your guest data, or your payment infrastructure. An Garda Síochána's National Cyber Crime Bureau has recorded cases in Irish hotels where the initial network compromise was traced to an IoT device — typically a camera or smart speaker — that had been left with default credentials and was accessible from the internet.[^2]
Does your hotel have an inventory of every connected device on its network, and can you confirm that each one has been configured securely rather than left with factory default settings? Book a free 20-minute strategy call — we will help you audit your connected device estate and identify the configurations that create risk.
The Four Device Categories and Their Specific Risks
Smart locks are the category with the most direct physical security implication. A compromised lock management system could allow an attacker to generate valid access codes for any room, or to lock guests out. Beyond the physical risk, the access log data — which records every entry and exit — is personal data under GDPR. The Data Protection Commission in Ireland has published guidance on location and movement data, confirming that records of when a named guest accessed their room qualify as personal data and require appropriate protection and lawful processing basis.[^3]
Smart cameras carry both network and privacy risks. Cameras connected to cloud storage services — particularly services hosted outside the EU — create data transfer obligations under GDPR that most hoteliers have not considered. Guest-facing cameras in lobbies and corridors capture personal data that must be covered by appropriate notices and retention policies. Cameras accessible via the internet with default credentials are one of the most commonly exploited device types in Irish business network compromises.
Smart thermostats and building management systems are less obviously sensitive but are increasingly integrated with the same network as booking and operational systems. A thermostat with a manufacturer-provided remote access capability and default credentials is a door into your network that requires no physical access. In buildings where the heating and cooling systems are managed through a connected platform, a compromise can also create physical disruption — heating failures in winter, cooling failures during summer events.
Smart speakers and voice assistants present a different kind of risk. Devices like Amazon Echo or Google Home, deployed in guest rooms for convenience, transmit audio data to external servers. The data processing and storage practices of those devices are governed by the manufacturer's terms of service, not by your hotel's GDPR policies. Deploying them in guest rooms without informing guests creates a disclosure obligation issue. Deploying them in management offices where confidential conversations occur creates a confidentiality risk.
The Principles of Secure IoT Deployment
The first principle is to change default credentials before deployment. Every smart device ships with a manufacturer-set username and password. These credentials are publicly documented and are the first thing any attacker tries. Changing them before the device goes live takes five minutes and removes the most common attack vector entirely.
The second principle is network segmentation. Smart devices should be on a separate network from your core business systems. Guest Wi-Fi, IoT devices, and your booking and payment infrastructure should each be on isolated network segments. A device that is compromised on the IoT network cannot then reach your property management system if they are properly separated. Your IT provider can configure this using VLANs on your managed network switch. For most small hotels, it is a half-day of configuration work.
The third principle is to disable remote access where it is not needed. Many smart devices enable internet access to management interfaces by default. If you do not need to manage the device from outside your local network, disable that capability. If you do need it, ensure it requires strong authentication rather than default credentials, and consider whether a VPN requirement would be appropriate.
The fourth principle is to include smart devices in your firmware update process. Connected devices receive security updates from manufacturers just as computers do. Leaving devices on outdated firmware leaves known vulnerabilities open. Assign someone responsibility for checking device firmware versions quarterly and applying updates.
The fifth principle is to understand your data processing obligations before deployment. If a device collects personal data — access logs, camera footage, audio recordings — you need to know who it sends that data to, where it is stored, and whether a data processing agreement is in place with the service provider. If it is not, you have a GDPR compliance gap that needs to be resolved before the device is live.
Smart technology in hospitality delivers real value for guests and operators. But every connected device that goes live without security configuration is not just an addition to your amenities — it is an addition to your attack surface.
Three Actions to Take Before Your Next Installation
1. Inventory every connected device currently on your network. Your IT provider can generate this list from your network infrastructure. Note the make, model, firmware version, and whether default credentials have been changed. Any device with unchanged defaults should be updated immediately.
2. Segment your network before adding more IoT devices. Before deploying additional smart technology, confirm with your IT provider that your network is structured to isolate smart devices from core business systems. If it is not, address that first.
3. Before any new smart device deployment, check three things: whether default credentials have been changed, whether the device has been placed on the correct network segment, and whether the manufacturer's data processing practices are compatible with your GDPR obligations.
The operational benefits of smart hotel technology are genuine and growing. Securing it properly is what allows you to capture those benefits without creating the exposures that an unsecured deployment introduces.
Related Reading
- Physical Security Basics That Most Irish SMEs Overlook
- NIS2 and Hospitality: What Donegal and Sligo Hotels Must Do Before the Deadline
- Seasonal Staff Cybersecurity for Donegal Tourism Businesses
[^1]: NCSC Ireland, guidance on IoT and connected device security for organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána, National Cyber Crime Bureau cybercrime resources: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission, guidance on personal data and GDPR obligations: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.