Editor's note: This is the second installment in a seven-part series about hotel information data security. Tomorrow's feature will examine PCI compliance.
REPORT FROM THE U.S.—Just because hackers have been able to get through the front door before doesn’t mean you can’t install stronger locks to keep them out in the future. Here are nine steps—some easy and cheap, some more time-consuming and costly—you can implement to strengthen your defenses.
1. Get compliant. The Payment Card Industry Data Security Standards provide a comprehensive and proven set of guidelines to bolster data security, and their compliance is required by the five major card brands. Failure to comply can result in up to a US$500,000 fine.
PCI DSS comprises six goals and 12 specific guidelines, about which the PCI Security Standard Council offers copious support documents and information. Major brands usually provide the necessary IT support to ensure compliance, but smaller chains, portfolios or one-off properties likely will have to hire an outside consultant or security auditor to make sure the 12 guidelines are being met and then implement appropriate security measures.
2. Restrict access. A far less costly and time-consuming practice is the informal audit: Gauge your employees’ use of and ability to access information, said Diane Carlisle, director of professional resources for ARMA International, a nonprofit association that advises companies on managing records and information.
Just as you wouldn’t give every employee a key to the manager’s office, you shouldn’t allow employees to have open access to information, she said.
Ask yourself: Who has access to what information? How are they getting it? Do they need that information to do their jobs?
And if they do, make employees have their own usernames and passwords for tracking purposes, said Jeremy Rock, president of RockIT Group.
This audit will reveal ways to tighten potential leaks on the data trail.
3. Follow the information trail. Speaking of the data trail … if you don’t know where all of your information is, you’re far more likely to lose it, Carlisle said. Make a concerted effort to track personal data throughout your entire information infrastructure.
For example, you might know you’ve got a guest’s credit card number stored on a paper file in your office (not that you should ever keep paper records of personal data), but did you know there might also be electronic copies in the hands of vendors or third parties if you outsource any booking services?
Furthermore, are you keeping personal data now that you don’t even need? While Carlisle admitted it makes sense to hold on to key information for frequent guests, you probably don’t need a copy of the one-night guest’s credit card number and home address, she said.
“You’ve got to think about your whole information infrastructure,” Carlisle said. “Whether it’s your paper records or your e-mails or your servers that are holding your frequent guest profiles, where is that information and what protocols govern how it’s accessed?”
4. Reset passwords. An easy yet impactful change at the property level is to make sure you reset passwords throughout the organization, said Mark Haley, partner with hotel-technology consulting firm The Prism Partnership.
A good timeline is to reset passwords every 90 days, never using the same password more than once in a two-year span, Haley said.
And at least make sure you reset default passwords, he added. Manufacturers often use the same keywords over and over again when they ship out and install their systems, making it incredibly easy for the savvy hacker to open what essentially amounts to an unlocked doorway.
5. Shore up remote access. Remote access shouldn’t mean easy access, Haley said. “Your obligation is to set those up securely so that unauthorized people can’t use them.”
There are various types of authentication and encryption, and users should have their own unique usernames and strong passwords, he said. Most importantly, the remote access channel should be cut off after each use.
“The key thing is they only enable remote access for vendors (and employees) on an as-needed basis,” Haley said.
6. Create a network divide. There should be two sides to every hotel network: the guest side and the hotel operation side, said Josh Ogle, founder and CEO of TriVesta LLC and co-author of a Cornell University study titled “Hotel Network Security: A Study of the Computer Networks in U.S. Hotels.”
One side allows travelers to access the Internet while staying at the property and the other allows hotel associates to access the necessary programs and information to run that same property. Though the two areas complement each other, the guest side should in no way be touching the hotel side, and vice versa, Ogle said.
7. Enable wireless security. A Wi-Fi connection has become a must in hotel rooms throughout the world. But what about the security systems protecting it?
It’s an easy fix, Ogle said. Simply access your router, enable its encryption setting, enable password protection and have guests log on using the password. Every router has these capabilities.
Hotel employees shouldn’t give out that password to every Tom, Dick and Jane who asks for it, however. They should first verify the guest is registered at the property before disclosing that network key.
8. Invest in a robust set of firewalls. If someone gets into your network, he or she shouldn’t be able to roam freely from one data center to another, but that’s precisely what happened during a data breach at Wyndham Hotels and Resorts, Ogle said. A hacker penetrated the computer systems of one of the company’s data centers, and that system acted as a gateway allowing the cybercriminal to access information from separate computing environments at 37 properties.
The Prism Partnership
Firewalls should be robust, requiring authentication every time a user moves from one side of the network to another, Ogle said. Investing in these security systems can be expensive, especially when considering the necessary maintenance and constant updates, but it’s one of the best ways to isolate and contain breaches.
9. Promote a culture of awareness. Firewalls, PCI DSS and encryption are all well and dandy, but unless you make data security an important part of your hotel’s culture, your efforts could be for naught.
“It’s an absolute essential for mangers in the industry to ensure that there’s a culture respecting privacy in the hotel,” Haley said.
One of the best ways to do this is to make information security a written workplace policy similar to employee conduct and behavioral policies, Carlisle said.
“… Raise that level of awareness that this information represents a trust that your guests have placed in you, that you’re going to use it appropriately, it’s a value to the company, and it’s an area that can get you in trouble if you misuse it or use it inappropriately,” she said.