This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.  Find out more here  Close
9 ways to strengthen information security
May 18 2010

The hotel industry is a soft spot for cybercriminals, but that doesn’t mean hoteliers can’t fight back. Here are nine steps you can implement to strengthen your defenses.

Editor's note: This is the second installment in a seven-part series about hotel information data security. Tomorrow's feature will examine PCI compliance.

REPORT FROM THE U.S.—Just because hackers have been able to get through the front door before doesn’t mean you can’t install stronger locks to keep them out in the future. Here are nine steps—some easy and cheap, some more time-consuming and costly—you can implement to strengthen your defenses.

1. Get compliant. The Payment Card Industry Data Security Standards provide a comprehensive and proven set of guidelines to bolster data security, and their compliance is required by the five major card brands. Failure to comply can result in up to a US$500,000 fine.

PCI DSS comprises six goals and 12 specific guidelines, about which the PCI Security Standard Council offers copious support documents and information. Major brands usually provide the necessary IT support to ensure compliance, but smaller chains, portfolios or one-off properties likely will have to hire an outside consultant or security auditor to make sure the 12 guidelines are being met and then implement appropriate security measures.

2. Restrict access. A far less costly and time-consuming practice is the informal audit: Gauge your employees’ use of and ability to access information, said Diane Carlisle, director of professional resources for ARMA International, a nonprofit association that advises companies on managing records and information.

Just as you wouldn’t give every employee a key to the manager’s office, you shouldn’t allow employees to have open access to information, she said.

Ask yourself: Who has access to what information? How are they getting it? Do they need that information to do their jobs?

And if they do, make employees have their own usernames and passwords for tracking purposes, said Jeremy Rock, president of RockIT Group.

This audit will reveal ways to tighten potential leaks on the data trail. 

Jeremy Rock
RockIT Group

3. Follow the information trail. Speaking of the data trail … if you don’t know where all of your information is, you’re far more likely to lose it, Carlisle said. Make a concerted effort to track personal data throughout your entire information infrastructure.

For example, you might know you’ve got a guest’s credit card number stored on a paper file in your office (not that you should ever keep paper records of personal data), but did you know there might also be electronic copies in the hands of vendors or third parties if you outsource any booking services?

Furthermore, are you keeping personal data now that you don’t even need? While Carlisle admitted it makes sense to hold on to key information for frequent guests, you probably don’t need a copy of the one-night guest’s credit card number and home address, she said.

“You’ve got to think about your whole information infrastructure,” Carlisle said. “Whether it’s your paper records or your e-mails or your servers that are holding your frequent guest profiles, where is that information and what protocols govern how it’s accessed?”

4. Reset passwords. An easy yet impactful change at the property level is to make sure you reset passwords throughout the organization, said Mark Haley, partner with hotel-technology consulting firm The Prism Partnership.

A good timeline is to reset passwords every 90 days, never using the same password more than once in a two-year span, Haley said.

And at least make sure you reset default passwords, he added. Manufacturers often use the same keywords over and over again when they ship out and install their systems, making it incredibly easy for the savvy hacker to open what essentially amounts to an unlocked doorway.

5. Shore up remote access. Remote access shouldn’t mean easy access, Haley said. “Your obligation is to set those up securely so that unauthorized people can’t use them.”

There are various types of authentication and encryption, and users should have their own unique usernames and strong passwords, he said. Most importantly, the remote access channel should be cut off after each use.

“The key thing is they only enable remote access for vendors (and employees) on an as-needed basis,” Haley said.

6. Create a network divide. There should be two sides to every hotel network: the guest side and the hotel operation side, said Josh Ogle, founder and CEO of TriVesta LLC and co-author of a Cornell University study titled “Hotel Network Security: A Study of the Computer Networks in U.S. Hotels.”

One side allows travelers to access the Internet while staying at the property and the other allows hotel associates to access the necessary programs and information to run that same property. Though the two areas complement each other, the guest side should in no way be touching the hotel side, and vice versa, Ogle said.

7. Enable wireless security. A Wi-Fi connection has become a must in hotel rooms throughout the world. But what about the security systems protecting it? 

It’s an easy fix, Ogle said. Simply access your router, enable its encryption setting, enable password protection and have guests log on using the password. Every router has these capabilities.

Hotel employees shouldn’t give out that password to every Tom, Dick and Jane who asks for it, however. They should first verify the guest is registered at the property before disclosing that network key.

Mark Haley
The Prism Partnership

8. Invest in a robust set of firewalls. If someone gets into your network, he or she shouldn’t be able to roam freely from one data center to another, but that’s precisely what happened during a data breach at Wyndham Hotels and Resorts, Ogle said. A hacker penetrated the computer systems of one of the company’s data centers, and that system acted as a gateway allowing the cybercriminal to access information from separate computing environments at 37 properties.

Firewalls should be robust, requiring authentication every time a user moves from one side of the network to another, Ogle said. Investing in these security systems can be expensive, especially when considering the necessary maintenance and constant updates, but it’s one of the best ways to isolate and contain breaches. 

9. Promote a culture of awareness. Firewalls, PCI DSS and encryption are all well and dandy, but unless you make data security an important part of your hotel’s culture, your efforts could be for naught.

“It’s an absolute essential for mangers in the industry to ensure that there’s a culture respecting privacy in the hotel,” Haley said.

One of the best ways to do this is to make information security a written workplace policy similar to employee conduct and behavioral policies, Carlisle said.

 “… Raise that level of awareness that this information represents a trust that your guests have placed in you, that you’re going to use it appropriately, it’s a value to the company, and it’s an area that can get you in trouble if you misuse it or use it inappropriately,” she said. 

5/18/2010 10:43:00 AM
I do not think any or all of these steps will stop the problem. First, PCI compliance is the minimum business practice. Visa has a set of rules for best practice that far exceeds PCI compliance. More important unless you have tokenization and encryption from the time of swipe, it all a waste of effort.
Login or enter a name   Post Your Comment  Check to follow this thread via email alerts (must be logged in)
(4000 characters max)

Comments that include blatant advertisements or links to products or company websites will be removed to avoid instances of spam. Also, comments that include profanity, lewdness, personal attacks, solicitations or advertising, or other similarly inappropriate or offensive comments or material will be removed from the site. You are fully responsible for the content you post. The opinions expressed in comments do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Please report any violations to our editorial staff.

Industry CEOs’ opinions on Marriott/Starwood
Sharing economy might be in Choice’s future
Industry outlook: A crash or soft landing?
Spanish chains ramp up global expansion
Modular construction and hotel design
Top CEOs: Both good, bad signs for hotels
ALIS 2016: LIIC members share opinions
Consultants share trends, advice for 2016
HSMAI Digital Marketing roundtable
Concord embraces change
Red Roof Inn on international track
In-room phones: A thing of the past and future
Phones now ‘indispensable’ to travelers
Top hotel executives dissect industry’s issues
Addis Ababa’s rapid growth deemed sustainable
Technology Pulse: A roundup of digital news
Yotel: Owners see big return from small rooms
Contact Us
Hotel News Now
18500 Lake Rd.
Suite 310
Rocky River, Ohio 44116
Copyright © 2004 - 2016 Hotel News Now, a division of STR, Inc. All Rights Reserved.   Privacy