Cybersecurity – Securing Property Management Systems

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

October 29, 2018
Cyber Security
Bill Newhouse - William.Newhouse@nist.gov

Business planning to address cybersecurity challenges should be as important as planning for guest arrivals. 

Whether you’re a small boutique hotel or part of a large, well-known brand, your system(s) can be compromised, and the consequences can be damaging. There is no silver bullet that makes a hospitality entityimmune,yet an ERP Maestro survey shows that a full one-third of executives don’t have a defined cybersecurity strategy. 


Considering the costs associated with a system breach – and its potential impact on guest privacy and brand reputation – it makes sense to take a proactive approach to securing your property management system (PMS). 

Hospitality organizations rely on a PMS for daily tasks, planning, and record keeping. As the operations hub, the PMS interfaces with or includes services and components within a hotel’s information technology (IT) systems, such as point-of-sale (POS) systems, electronic door locks, Wi-Fi networks, and other guest service applications. Adding to the complexity of connections, external business partners’ components and services are also typically connected to the PMS, such as on-site spas or restaurants, online travel agents, and customer relationship management partners or applications. This expanding PMS provides a wide attack surface for intentional and unintentional threats to guest data.

A Framework for Cybersecurity
 
Improving cybersecurity may seem daunting, yet opportunities exist to strengthen cybersecurity in and around a hotel PMS. But what does good cybersecurity look like? First, know that cybersecurity is fundamentally an exercise in risk management. Moreover, there are no one-size-fits-all solutions to cybersecurity. Every business is unique. Hotels have different PMS solutions, integrations, operations, processes, and pieces of information that they retain. To be effective, the tactics and tools you employ for cybersecurity must be tailored to your operation and take into account your risk tolerance and your available resources. 


The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a guide, or way of thinking about cybersecurity. It’s not a requirement for compliance. In fact, it’s completely voluntary. So why use it? Stakeholders from all sectors of the economy came together to create the framework. It can be adapted and scaled to virtually any type of business to better understand, manage, and reduce cybersecurity risks. It helps businesses determine what activities are most important to assure critical operation and service delivery, which in turn helps them prioritize investments and maximize the impact of money spent on cybersecurity. In fact, results from a 2015 Gartner poll show that about 30 percent of U.S. organizations have adopted the Cybersecurity Framework, and by 2020, 50 percent of organizations will have adopted it.
 
For an independent hotel, the Cybersecurity Framework can be used to guide cybersecurity considerations on site. For a franchisor, it can be a way to educate franchisees about your cybersecurity program and track their progress. For a multi-unit hotel operator, it can become a shared operational guide for your IT staff, hotel managers, executives, and board so that members of your team are all speaking the same language. 
 
The Cybersecurity Framework is not intended to be used as a stand-alone framework but be
paired with other industry standards and best practices for cybersecurity. For PMS security, hoteliers may want to consider pairing the Cybersecurity Framework with standards and best practices published by NIST, ISO/IEC, Payment Card Industry/Data Security Standards (PCI/DSS), Hotel Technology Next Generation, FIDO Alliance, and the Cloud Security Alliance. 
 
At its core, the Cybersecurity Framework comprises fi ve functions: identify, protect, detect, respond and recover. A focus on these fi ve functions can go a long way toward plotting a course of action to protect your PMS and data. We will touch on the identify and protect functions as they relate to securing your PMS.
 
IDENTIFY:
Know Who and What Is Connecting to Your PMS
First, take an inventory of your PMS and the systems and devices that connect to it, and identify just how much risk you face. This speaks to the Access Management subcategory (ID.AM ) of the Cybersecurity Framework. Key considerations include:
 
  • Inventory devices and systems, software platforms, and applications. Identify IT systems, devices, and hardware–like POS terminals or electronic door lock systems–that connect to your PMS, including location and ownership of those systems. Develop documentation or use third-party secure database software to inventory all software. Develop a process to keep this inventory up-to-date.
 
  • Map organizational communication and data flows. Map your PMS’ communication and data fl ow requirements, and draft network diagrams. What is your most sensitive data, and where is it stored (on premise, in the cloud, or both)? Who has access to your data, including third-party providers? Any documentation developed should describe how this information supports your business objectives and describe the risk to the business if compromised.
 
  • Catalog external information systems. Create and maintain a document that catalogs all external systems, especially those that contain sensitive data or support critical hotel operations.
 
PROTECT:
Take Steps to Reduce Risk of a Cyberattack
Once you’ve identified your cybersecurity risks, you can turn your attention to protecting your systems and data, which speaks to the Protect categories of the Cybersecurity Framework. Key considerations for protecting a PMS include:
 
  • Control access and improve authentication. Require unique credentials for each user who accesses your PMS, and limit their access to only the hardware, applications, or data needed to do their job. For example, an authorized third-party contractor working on your HVAC system should not be able to access your reservation system. Limit administrative or super-user access to the fewest users possible. Remove user access when an employee leaves, and do not allow shared accounts to log on to applications, servers, or network devices. Consider multifactor authentication for access to critical data and systems, and single sign-on for ease of access.
 
  • Secure data with encryption and tokenization. Devalue your data through point-to-point encryption and tokenization. Hospitality organizations maintaining compliance with PCI/DSS are familiar already with point-to-point encryption. Encryption is especially important when data–the information you collected and inventoried as part of your Identify efforts–is stored on or transmitted to third-party, cloud-based systems. In tokenization, tokens replace sensitive data with random, unique numbers that have no value if stolen. Tokens can also be used as a substitute for the account numbers you may be using to identify customers for your loyalty programs and other customer promotions. Tokenization systems should be secured and validated by using security best practices.
 
  • Consider a zero-trust approach.  A zero-trust security model maintains that you don’t inherently trust anything on or off your PMS and that you apply security controls only where they are needed to compartmentalize and protect critical systems and data. Consider the multiple systems and applications connecting to your PMS and the various users–employees, partners, and even guests–accessing them from a range of devices and locations. A zero-trust approach treats all users as potential threats and prevents access until they can be properly authenticated and their access to the application is authorized. In essence, allow a user full access but only to the bare minimum they need to perform their job. If a device is compromised, zero trust can ensure that the damage is contained.
 
  • Promote cybersecurity awareness and training.  Employees remain the top source of cybersecurity incidents, according to PwC’s Global State of Information Security Survey 2018. Employees at every level should be taught to take precautions to help protect their organization’s systems and data. Avoid onetime, “check the box” annual training in favor of continuous cybersecurity awareness programs that strive to change employee behaviors, which in turn strengthens the security culture of your business. 
 
Innovations in technology help hospitality organizations streamline operations, reduce costs, and enhance the guest experience, but they can also introduce security risks. Cyberattacks are not going away; in fact, they are growing in number and sophistication. While there is no magic elixir when it comes to cybersecurity, incorporating the five functions of the NIST Cybersecurity Framework – identify, protect, detect, respond and recover – into your business is the first step to managing risks to your hotel from the growing threat of cyberattacks.

©2018 Hospitality Upgrade 
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.