by Jay Daughtry
Hotels and their guests are at an ever-increasing risk of cybercrime. In fact, when asked about the two biggest cybersecurity challenges facing businesses today, Bruce Schneier, author of several books on security topics and also currently a fellow at the Berman Center for Internet & Society at Harvard Law School, cited data theft and data protection. “Businesses need to be concerned about attackers stealing their data … . Businesses also need to be concerned about attackers rendering their data unavailable or otherwise unusable,” states Schneier. People and systems are at the heart of this risk.
First, hotels have traditionally placed a great emphasis on physical security, ensuring the safety of both the property and its guests. Recent breaches show the need to elevate the cyber side of security. This begins with people and an understanding of what makes the hotel environment unique in this regard.
A culture focused on the protection of data should be fostered. Employees need to understand what’s at stake for the hotel and its guests. Regular training sessions should highlight best practices and potential threats as well as examples from the news of related topics. Many hotel data breaches begin with individuals, whether acting inadvertently or maliciously. Further exacerbating the problem for hotels is a high turnover rate for employees which makes it difficult to ensure staff are trained fully; this also makes it a challenge to foster a work culture that values security.
Best practices for hotel employees begin with strong passwords. Strong passwords should be created by each employee with access to the hotel’s computer systems and should be unique to each employee. These passwords should be long and have a combination of capital letters, lower case letters, numbers, and special characters. At the same time a password should be easy enough for an employee to remember without having to write it down but not easy enough that another employee or someone with nefarious intentions could guess the password. A separate user account should be set up for each employee accessing the hotel’s computers. Hotel owners may also want to require that passwords be changed every few months or at regular intervals. An additional step would be to require multi-factor authentication for certain software or systems. Multi-factor authentication is where additional information is required to gain access and not just a password.
Computer applications should be minimized or the screens be empty of guest or other information when not in use. While most hotels utilize desktop computers for guest check-in and back office operations, be sure that laptop computers are locked and put away when they are not needed. Laptops can be easy targets for thieves and may yield access to proprietary information, important data, and hotel systems. A regular inventory of computers should be conducted to appropriately manage a hotel’s information technology environment and access to the information this system provides.
A culture of data protection also instills the concept that it’s not just credit card information that needs to be guarded and that may be valuable to others. More so than retail locations, hotels may have addresses, phone numbers, email addresses, birthdays, anniversaries, loyalty program numbers, and information on travel plans that could be used by thieves in numerous ways. While credit card information might be the first and most obvious information that hackers might want to steal from a hotel, it’s certainly not the only information that has value for these criminals. Again, any information that would allow them to guess at other passwords and gain access to other systems in impersonating these guests could prove to have great worth.
Hotel employees may also be subject to social engineering. Social engineering is the process by which criminals get small amounts of information from people, sometimes from various employees. These seemingly harmless bits of information can be combined to access even more valuable information or may enable an individual to position themselves as someone they’re not.
Employees should also be made aware of phishing schemes. Phishing is the process by which an email is sent from what appears to be a legitimate source. The idea is to get an unsuspecting recipient to click through to a site, again one that looks very authentic, and then enter information (usernames, passwords, pin numbers, social security numbers, etc.) that can then be utilized by those behind the phishing scam. Hotel employees should be trained regularly to better understand what can be legitimately asked for and what the warning signs are for these kinds of schemes.
Additionally, hotels should have established guidelines for the appropriate use of the internet by employees on work computers. Reducing access to questionable websites minimizes the risks and vulnerabilities for a hotel.
Hotel owners should also think through and approach their systems differently to protect guest information. Utilizing current security software will counter threats from computer viruses and malware. Keeping browsers, operating systems, and other software updated will also protect the hotel’s systems. Hotels should also put appropriate firewalls in place to protect data from outside access. Schneier adds, “Notice how your internal corporate hotel network is connected to your guest wireless network? That’s a bad idea. And don’t get me started on the vulnerabilities of the keycard system.”
Only certain employees should be given administrative privileges. These privileges should be restricted to key employees. Hotel owners should ensure that employees are given access to systems that are appropriate to doing their jobs. No one should be allowed to upload software without permission.
Hotels are more vulnerable in many ways that other enterprises are not due to their reliance on third party vendors and their systems. These third party vendors may be providing everything from reservation services to payroll to human resources. While it may be that these vendors have more capabilities and expertise with regard to specialized services, hotel owners should recognize the need to hold them to standards for sufficient security. Hotels should also be able to monitor the performance of their systems vendors and require regular reports on their status or progress with security.
Many hotel systems are interconnected. Information from various systems needs to be shared and accessible. This is desirable and makes hotel operations run more efficiently, but it also points to the danger of how a single vulnerability can put the entire system at risk.
Schneier’s closing advice to hotel owners who want to put an emphasis on data protection: “Data is more relevant today than it was twenty years ago. We’re more dependent on computers and networks. … We’re less likely to have manual backups that we can fall back on. It costs money in the short term, but it’s good business in the long term.”