Expert John Bell shared insights into data security during the recent HTNG Insight Summit.
SUNNYVALE, California—Data security might be among the most important issues in the hotel industry that receives relatively little attention.
During the recent HTNG Insight Summit, John Bell, founder of Ajontech and data security consultant and expert, shared some insights on what’s going on in that space and some of the things that are often overlooked.
1. The hotel industry doesn’t understand risk modeling
Bell said few hotel companies have a solid understanding of the risk they face in terms of potential data breaches, and that’s in part because there is no uniform way of modeling risk across the hotel industry.
“I think we need to create an industry-wide risk model,” he said. “My primary reason for this is that many of the companies I work with when working on architectures for don’t understand how much money to be spending (on security).”
He said the model will give companies a starting point on how much should be invested in security efforts compared to overall investment.
“They need to understand what the value is, how much it will cost if (breached), and what’s the probability of (data) being lost,” Bell said.
The model will also have to account for things outside the direct control of hotel companies, including a component to model risk for vendors. He said if that was standardized, it’d be helpful to both hoteliers and vendors.
“That way a vendor can easily communicate the risk of their products and service offerings,” he said.
2. Physical security is also important for IT
Bell said it’s all too common that hotels ignore the more physical aspects of security in tech. He noted this often comes down to lazy or negligent placement of important equipment and servers, referencing one company that put servers in a back-office men’s room.
“I’ve been in many hotels where all you have to do to walk out with a server is open a door, unplug it and walk out,” he said.
And he noted even some instances of servers being kept behind locked doors are lazy and inadequate, noting that in many hotels the walls of server rooms are basically drywall that could be “cut through with a utility knife.”
“These are things we don’t commonly think about,” he said.
3. Multifactor is important, but it’s not a magic bullet
Many technology companies are pushing hard for the adoption of multi-factor authentication, which in layman’s terms is the practice of asking a user to present a second method of proving who they are beyond just a password.
“People think it’s the solution to all their problems,” Bell said. “I said they’re wrong, but that doesn’t mean it’s not important.”
He noted further adoption of multi-factor methods are key for things like handling credit cards, and he believes “anyone doing system administration should be using multi-factor.”
Bell said one of the best applications of this methodology is the use of a physical key as the second step in authentication, similar to what Google has done, which company officials say has wiped out employee phishing altogether.