⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

Our Next Biggest Challenge: Data Security

Order a reprint of this story
Close (X)


To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.


October 01, 2012
Jeremy Rock - jrock@rockitgroup.com

View Magazine Version of This Article

 For the last few years the hospitality industry has been subjected to a barrage of information on PCI compliance. The challenges of becoming compliant and maintaining compliance are well documented, and for the most part the hospitality industry has responded well to shoring up networks and establishing policies and procedures. The latest data indicates that while restaurants are still the highest target of hackers, the number of hotel breaches has dropped significantly. This has been attributed to hotels taking basic steps to secure their networks and changing policies and procedures as they relate to passwords and remote access.

While the industry can certainly give itself a proverbial pat on the back for this achievement of making the necessary changes, albeit begrudgingly, many have known that PCI compliance was really the tip of the iceberg. The biggest concern has always been that of data security and the challenges for protecting both the guests’ and company business data.

PII vs. PCI Requirements
The industry has been conditioned to focus its attention on PCI compliance and securing credit card information, and while these efforts have helped to secure networks and led to the implementation of effective policies and procedures, the industry remains largely unfocused on the bigger issue of securing company and personally identifiable information (PII). This includes social security numbers, drivers license numbers, passport information, email addresses, cellphone numbers and other information that can subject guests and staff to potential breaches or identity theft.

While many of the PCI compliance initiatives have led to system enhancements such as data encryption and policies against the hardcopy distribution of this sensitive information, there are many areas which continue to expose guests' and company information to those who would chose to do harm.  A number of state laws require that PII be appropriately protected and that any affected individuals be notified of any reasonable suspicion of a compromise.

As with PCI, the best way to protect PII is not to have it in the first place. The problem is the hospitality industry actually targets this information with more effort than ever before. The importance to understand guests to either provide a better experience or upsell services means hoteliers are trying to gain more personal information about guests. From specific preferences to being able to identify guests by name have become the driving forces behind many marketing initiatives. Some of these areas are being targeted by criminal elements. The more information that is obtained and stored about guests, the more of a target a hotel is to those entities that have the most to gain from accessing this information. Unfortunately, most hotels and companies aren’t geared to effectively protect this information, and once the focus shifts from credit card breaches, then this will become the so-called next frontier.

The Issue of Mobile Devices
As more hotels start incorporating mobile devices into the operational aspect of properties, these devices are starting to define the way we do business. These devices offer a more efficient and engaging method of operating hotels and engaging guests, but it is more important to remember that most mobile devices are consumer grade and do not possess enhanced security features of larger workstations and laptops. As a result, organizations are at greater risk of having data compromised. What makes mobile devices an interesting target is they not only have the ability to access the key operational networks and data, but they also provide additional information such as location tracking, photos, video and audio. In many cases they contain the user's personal information including potential access to private details such as banking information and access to social media accounts.

The fact that the largest increase in device usage is occurring in the mobile arena, means that efforts to manage and control security on these devices is going to become exponentially more difficult, and to some extent may become an Achilles heel. 

In a number of cases, employees were granted access to corporate or operational networks through the use of their own devices, which has created additional security risks. The trend of bring your own device(BYOD) has created a number of additional challenges which are discussed in a later section of this article (page 24).

Favorite Techniques Used by Hackers
When evaluating techniques used by hackers one can generally separate them into the following categories:

Social Engineering
Social engineering refers to the art of manipulating people into performing actions or divulging confidential information in the absence of this information being readily available. We tend to think of hackers as people who attack networks via mediums such as the Internet. However, we never think they would be brazen enough to actually do this by talking to actual hotel employees and personnel. Hackers routinely gain information from hotel employees that provides them with a faster and more efficient way to obtain information on the hotel’s networks and systems. When you mention the word hacker, the image of a young, grunge individual comes to mind, but the truth is that hackers come from all different age groups and demographics. That means that it could also be the middle-aged businessman dressed in a jacket and tie that looks like a company executive or CEO who checks into your hotel and appears to be frustrated, to the elderly lady who is in town to visit her grandchildren. There is a fine line between helping a guest and assisting a potential hacker with an ulterior motive. The hospitality industry by its nature is service oriented to  guests, but in most cases little is done to educate staff on how to prevent compromising the integrity of data networks and the information contained therein. 

Most hackers will tell you that it is much easier to trick someone into offering up a password that allows access into a network or system than to spend a tremendous amount of time and effort hacking into the system itself.

On a recent engagement, a colleague wanted to find out more information on the guest network and simply called down to the front desk to ask for assistance.  He indicated that he had been struggling to gain access to the network and that he was a preferred VIP guest. He mentioned that the last time he stayed there they had provided him with a VIP code to get into the system and that he was wondering if they could provide him with this again. By acting very frustrated, the agent provided him with a VIP code that allowed him access to another network. While this action was great from a guest satisfaction standpoint, the actions allowed him to browse the administrative/operational network and glean a great deal of information on the system setup. Additionally, he did not have to pay for the improved service and there were no time stipulations on the length of stay. One can only presume that this password and access were hard-coded and that they could be used by the guest/hacker to gain access in the future.

Another technique used by hackers is to browse the various hotel networks using mobile devices. This can even be done by using a mobile phone while loitering in the lobby.

Many hackers will invent stories or scenarios to get people to divulge information or complete an action which will provide some or all of the necessary details to extract data or breach a network. The information can be used to establish credibility with other personnel and create the perception that the person is legitimate and that they have the necessary credentials to access a network or certain secure information. The details allow the hacker to impersonate coworkers, service providers or even police, which could lead to naive personnel offering up confidential information and network access.

Baiting is like the real-world Trojan horse that uses physical media and relies on the curiosity or greed of the victim or employee to gain access to a network or retrieve information from the employee’s computer workstation.

At HITEC 2012, hacker Josh Klein used an example where he strategically placed USB flash drives in an employee parking lot knowing that a few of the employees would pick them up, and based on their curiosity, would plug them into their workstations. Upon doing this, it would immediately install malware giving the hacker access to the workstation and in many cases the network.

Another example includes targeting an employee and sending a digital device such as an audio player under the auspices that he or she has won a drawing at a recent conference. The employee plugs in the device and unknowingly loads the malware. The malware can also load onto every computer on this network.

Quid pro quo
Under this type of attack, the hacker will contact random numbers or people at the hotel or company and claim to be a call back for a technical support request. As everyone knows, personnel always have technical support problems and even if they don’t report them if someone calls, they will usually try to engage them in a user question or some issue that they are having with their system. Eventually the hacker will hit someone with a legitimate problem and while the hacker may help to solve the problem, they will also have the user provide them with access passwords to type certain commands that allow the hacker to launch or access malware.

There is a tendency to forget that data security attacks often compromise active email addresses which can lead to further phishing or sophisticated targeted attacks. Phishing is where the perpetrator sends an email that appears to be a legitimate email requesting that the person verify information and usually has direct links to a fraudulent website that looks or appears to be legitimate.  The form then asks the respondent to complete an informational profile complete with PIN numbers.

This is one that seems so easy that no one really pays much attention to it. Simply put, the hacker follows someone into a restricted area and given the social customs, authorized personnel will either hold the door open for them or ask them if they can assist. Within a hotel or company, a hacker could pose as a phone company technician and follow a network administrator into the  main data center. If questioned, the person can indicate that he received a call for service or state that he thought this was where the equipment was located. In either instance, the person’s authorization is rarely questioned.

At HITEC, Klein also highlighted tailgating. In his example he was seeking to gain entry into a restricted area through the use of an electronic RFID security key. He wired his jeans with an RFID transponder that read the RFID cards of the personnel that passed close by him. He also placed the equipment over a door frame where personnel were required to pass. In both cases Klein obtained exact duplicates of the RFID employee cards.
Wi-Fi Networks
There are many articles on the potential risks of guests using public Wi-Fi networks in hotels. With the tools for scanning networks being readily available on the Internet, perpetrators can simply sit in the comfort of the lobby or their hotel rooms and monitor the open networks in the hotel. Many travelers access sensitive or restricted networks via their mobile devices and are unaware that they are being monitored. Guests are used to using Wi-Fi and think that just because they can’t see the other people on the network, they are in a safe environment for logging onto bank sites and other restricted websites.

The Human Resource Issue
While most data security specialists are focused on the network and IT-related concerns, most hoteliers pay little or any attention to one of the most important departments in the fight to secure information – the HR department. From PCI compliance to policies on the use of personnel devices to access company data, most hotels and companies have limited interaction between the IT and HR departments as far the enforcement of data security is concerned. In fact, if the HR department worked closely with the IT department, a majority of data breaches could be avoided.

Policies and Procedures
Good security starts with the development and enforcement of policies and procedures. One of the key mistakes made in regards to PCI compliance and overall data security is the lack of effort and focus on effective training programs for employees. Very few organizations take the time to educate their staff on the importance of securing both their company and guests’ information.

Hotels are required to develop and implement PCI compliance policies as part of their overall efforts to become compliant and maintain compliance. However, few organizations take this to the level of modifying their overall employee handbooks and determining effective enforcement policies (including termination) for those staff members who are caught breaching set policies and procedures. Given the importance of data security specific policies need to be generated in conjunction with the IT department. By including IT in the overall process, hotels will be in a better position to effectively educate their staff on the specific requirements for ensuring the safety of data.

Some of the areas that require focus include integration of policies and procedures with the IT department. The IT department is involved with all facets of the business and it only makes sense that it be included in the day-to-day on boarding and disembarkment of employees. From setting up and managing email addresses and user access to the removal of access upon the employee’s departure, IT needs to apprise HR of any potential threats to the security of the organization’s data. How many times have you heard of sales personnel taking their Rolodex of contacts and working documents (including sample contracts) with them when they leave a company? When an employee is hired he or she is expected practice to bring contacts to the next position with the promise of securing clientele from previous business dealings. But this information belongs to the hotel or business entity where the business took place and is a violation of most policies and procedures, not to mention detrimental to the overall business, especially if the staff member is going to a competing property.
Security Awareness Training
While this topic is covered in greater detail under a separate article in this edition, it bears mentioning as few entities provide effective IT policies and procedures training to their staff. Employees are typically the first line of defense in the war of securing data. Specific and targeted training should be provided to all employees when they join the organization. Everything from how to open and transmit emails in a secure manner, to responsible use of the Internet should be covered and addressed in the initial training. Specific user training should also be provided for all positions where staff can be exposed to sensitive and potentially harming company and guest data. Refresher training should also be conducted on a periodic and regularly scheduled basis to ensure that employees are kept up to speed on new security information and techniques for preventing breaches as this becomes available. An example of this may be the policies and procedures for operating both personal and company-owned mobile devices. With new features and applications becoming readily available, hotels must maintain tight controls on new devices and operational capabilities.

Hotels often overlook this training as it is expensive and time consuming, takes personnel away from their regular jobs, and is particularly difficult when operating with limited staff. The other challenge is that many hotels have downsized or eliminated their IT staff, and as such, this becomes very difficult from a scheduling perspective with the IT resource becoming the so-called bottleneck for facilitating the training.

On a recent engagement, employee reactions were tested when we deliberately took pictures of the iPad® device that was located at the check-in counter right in front of the desk agent. Opening the settings icon, we quickly navigated to the IP configuration settings of the iPad and took pictures of the settings with a camera. At no time did the agent intervene, prevent or discourage usfrom doing this. While this is obviously something that we should not have been doing, the desk agent was not prepared to address the situation.

Policies and Procedures
While hotels and organizations may have comprehensive data security policies and procedures in place, often they are not enforced or they are enforced inconsistently. If these policies are not enforced, the organization is sending a message to employees that this is not that important and that employees don’t need to take it seriously. Effective documentation of policies breaches must be enforced, and in some cases, terminations should be made to ensure that the data is protected. It is especially important for organizations to have direct support from senior management in order for these policies to be effective.

While many of the policies and standards are on file, they may not appear to have been implemented operationally and this hinders HR departments from effectively holding employees accountable. Further policies should be linked to HR repercussions for known breaches of the policies and procedures. Unless this is conveyed to employees in an effective and constructive manner, it will prove difficult to enforce and are simply words on paper. 

Two of the key data security items upon which to educate employees are: the implementation of an effective password policy that is enforced across the entire operation, and addressing the potential for malicious internal users and making employees aware of enforcement measures.

Data Retention Policies and Procedures
Most organizations either do not have a specific data retention policy or simple fail to enforce it. In many cases there is a policy to retain all information if there is uncertainty of what to retain or what can be destroyed. One of the key methods for protecting PII and other sensitive information is to implement an effective data retention policy. The two areas upon which to focus attention are data destruction and data retention.

Data Destruction
An effective data destruction policy includes the secure and documented destruction of information where there is no longer an established business need for it. Essential aspects to these policies include but are not limited to:

  • The establishment of an official time length for the storage of data and information, and the maintenance of a vigorous policy of controlled and recorded destruction of this data and documentation. It is important to delete data that has exceeded its required retention period.
  • The destruction of all Social Security numbers (SSN), if there isn’t a legitimate business need for its retention.
  • Maintain a policy of documenting the shredding or otherwise destroying of any hardcopy documentation before disposing of it.

Data Retention
While the destruction of hardcopy information and data may follow relatively straight- forward procedures, the retention of data may present a more complex operation. Policies and procedures for the effective and secure storage of information must be well thought out and controlled. The following are some suggestions for the effective retention of sensitive data:

  • Truncate or encrypt all PII information that you must retain whenever possible.
  • Protect all intact PII that you must retain, whether it is on a work computer or personal device.
  • Use data encryption for both storage and transmission where at all possible to reduce the risks associated with storing PII.
  • Restrict access to this data and allow only authorized users access to this information.
  • Send passwords and restricted data securely for more information.

It is recommended that entities use the services of an official document destruction company to assist with official document shredding and destruction.  A proper data classification policy and procedure combined with an enforced data retention policy are essential.
Legal Considerations
Currently, a big loophole exists regarding vague contractual verbiage between entities responsible for the interaction and transmission of sensitive data. This affects not only management companies, hotel brands and other ownership relationships, but also those between hotels and third-party vendors or solution providers.

Given the relationship between an owner and a brand or management company, which basically dictates the IT systems and equipment that is deployed at their branded or managed hotels, how many of the agreements address PCI compliance and data security, and who bears the responsibility in the event of a breach? Most agreements were established many years ago and have not been updated. The incentive for updating these agreements is not there and many owners are not aware of the potential threats associated with data security as the issue was not as prevalent when the original agreements were signed. That stated, how many of the new agreements address the issue and problems. While no entity starts out disregarding compliance and security requirements, the issues are real and addressing them are costly and complex to implement.

While many organizations are aware of the deficiencies of the current brand/management contracts, they are not aware of another critical area of exposure, namely the third-party applications and solution providers. Most hotels use third-party entities for everything from applications to networks, and most of these agreements do not address these complex issues.

On a recent engagement, a company encountered a rogue network engineer who, unbeknownst to the hotel, had a dispute with the third-party networking provider. The systems engineer caused major disruptions and outages to the network that disrupted the operations and resulted in a strained relationship between the provider and the hotel. The engineer went so far as to lock everyone out of the core switches and ultimately resulted in the network needing to be re-engineered. While the situation was rectified, the potential for further disruption and compromise was extremely dangerous and highlighted how many organizations entrust their networks to third parties without prequalifying these resources. As such, they spend large amounts of money securing applications but then in essence hand the keys to the Ferrari to a teenage kid to take for a spin. What kind of contractual documents are in place from all of the entities' service providers to protect the entity from potential breaches from third-party solution providers and their subcontractors? In most cases the detail on the contracts is extremely limited and barely addresses the service-level agreements (SLAs) that are required to support the system.

IT personnel must pay closer attention to the contractual documentation of each agreement to ensure that it addresses any PCI or data security-related concerns that may arise. It is also recommended that entities ensure the contracts are reviewed from a legal perspective and the legal counsel interacts with IT personnel to ensure all of the technical requirements pertaining to the contract are met. Particular attention needs to be paid to the following types of contracts: management agreements, brand agreements, application provider agreements, IT vendor and support agreements and third-party solution provider agreements. Place emphasis to subcontractor relationships and ensure they are governed and held accountable to the same terms as the original parties to the agreement. In effect the primary contractual party is responsible for all subcontractor actions.

Breaches of Third-party Solutions Partners
Trustwave recently issued its 2012 Global Security Report which indicated that in 76 percent of incident response investigations, a third party responsible for system support, development and/or maintenance of business environments introduced the security deficiencies. This is a significant indication of just how important it is to partner with a third-party that is truly a partner and is vigilant about maintaining data security as one of its primary focuses.  

Some data breaches may occur outside of the control of the hotel entity or company. For example, many hotels outsource their electronic marketing to third-party providers. In the past year, some of the larger electronic marketing companies have had their systems breached and sensitive guest data has been compromised. In these cases the fallout from the breaches can be significant and damaging to the goodwill and name of the hotel, brand or company. In these instances, one has to determine how secure the systems and data are with these third-party providers and what the contractual terms are between the parties in the event of a breach.

Physical Security
Physical security is an often overlooked aspect of data security. Many breaches can and are initiated from within the organization. Breaches may not be driven by the hope of financial gain but may take the form of a disgruntled employee or service provider intent on causing malicious and unrecoverable damage.
It’s hard not to address physical security concerns without addressing one of the lead stories from this past summer – namely the highly publicized breach of electronic door locking systems. While the issues are being addressed, it’s important to note the exposure of hacking these locks and its impact to the overall security for the hotel. It raises a larger issue: how access to restricted areas is monitored and controlled.

With regards to actual data security, the primary area of concern is usually focused on the main data center located at the property or at a corporate, hosted facility. For most hotels, their systems are still premised based and are located on property in the main distribution frame (MDF) of the hotel. In most cases the systems are co-located with the primary voice and video systems for the building or property. The main data center is required to be secured as part of compliance requirements, and in many cases this is facilitated via the same door locking system that is in place throughout the property. As such, when the guestroom electronic door locking system was breached by the hacker, what was not mentioned was the bigger impact of access to the data systems themselves. While the focus of the breach was on guestroom security (a valid concern – although an unlikely target from a practicality standpoint), the bigger concern may be directed to securing the data center where a perpetrator may be able to strategically gain access to the servers, or worse yet, a disgruntled employee may wreak havoc on the devices themselves.

Hotels typically label their servers with specific application names, and in many cases, IP addresses to assist personnel with managing the environment. IT may feel that this is appropriate and efficient given that there may be a change in personnel supporting the systems and a belief that these rooms are secure. However, in the wrong hands this information could prove to be detrimental to the organization. Not only can the local area network (LAN) be exposed but also the wide-area network (WAN) connected to the hotel. These include ownership, brand, management companies, solution providers and other hotels within the same network.

While smaller entities usually control access to the data center via a door lock of some kind, larger properties or corporate data centers usually secure their rooms with the use of man traps. For those not familiar with man traps, it is a way to limit physical access into the room and prevent tailgating of unauthorized personnel into the facility.

Additionally, many rooms use cameras to monitor access to the rooms and in some cases within the rooms themselves. With many third-party vendors and solution providers requiring access to the rooms, it’s important to monitor and control what is taking place in these sensitive areas.

Security Systems and Surveillance Cameras
Many hotels now have CCTV or camera systems monitoring various control and access locations through the hotel and property. In many cases these cameras are either capturing dead air or are not actively being monitored. While many systems are accessible via IP networks, it’s imperative that access to this material be controlled at the highest level. With upscale hotels capturing images of high profile guests, these images can be sold for large sums of money to the discredit of the hotel and lead to potential negative exposure both from a legal perspective as well as from a publicity standpoint. As such, access to this footage needs to be restricted and only made available to the appropriate authorities when required.

It is also important that the system is redundant in case of a failure and that the backup footage is made part of the overall disaster recovery and redundancy plan.

Physical security also pertains to limiting access to sensitive hardcopy data. Hotels should have policies in place to limit access to those areas of the property where sensitive hardcopy information is stored. 

For example, the issue of employee badges is another area of concern. Some properties are moving away from employees wearing identification badges when operating in the back of the house and other areas as they don’t like to have the guests see these badges. While they may not work from an appearance standpoint, the issue then becomes how personnel can be identified and distinguished in larger properties where staff transitions happen regularly. Access to the administrative and back-of-the-house areas should be tightly controlled and  policies implemented to ensure that this takes place.

Still another concern is that of systems and rooms accessed by vendors and solution partners. Where feasible the following security measures should be in place:
  • Vendor and other visitor badges must be reviewed regularly and controlled.
  • Vendors should always be escorted on premise to sensitive locations.
  • Access to critical locations should be online and electronic access keys should be strictly controlled and provided for limited timeframes. Areas should be re-keyed to maintain the integrity of the areas concerned.
  • Effective vendor access policies and procedures need to be created and implemented.
  • Where possible, establish time rules for vendor access and set time limits that can be enforced or monitored.
  • Implement a vendor access list and release forms for personnel to clock in and out to monitor activity while onsite.

Regulatory Considerations and IT Governance
A newly developed position of IT regulation and governance is emerging in many hotel organizations. Hotels and resorts interact with guests and clientele both domesticly and internationally, and this role is extremely important to ensure that the organization is compliant for all requirements. Of particular importance from an international standpoint is the EU Data Protection Directive. This governs the transfer of personal data to third-party countries, refering to countries outside the European Union. Personal data may only be transferred to third-party countries if that country provides an adequate level of protection. Organizations may therefore need to protect the transfer of information from these countries and afford the same protection requirements to the persons that they are doing business with as they are afforded in their own countries.

While PCI compliance has been the main focus of the industry over the past few years, the issue of overall data security is going to be the focus of the future. Until recently the biggest impact has been that a guest may be inconvenienced by having to replace his or her credit cards. While this may have had a negative impact on the guest’s overall image of the hotel or resort, this hasn’t really had a major impact on their overall lives. That will potentially change if and when their personal and private information is compromised. Should this happen, it could potentially lead to identity theft and that could be life altering. With more and more companies and hotels focused on capturing guests' personal information and preferences for targeted marketing of services and products, the greater risk is that this information will be compromised and will ultimately have a major impact on both the hotels and guests. The bad guys are more sophisticated in their attacks and target victims with greater precision. The industry must be vigilant in the way it conducts business to stay ahead of the curve, as this is certain to become a scenario of when, rather than if an organization will be compromised.

Jeremy Rock is the president of RockIT Group, a technology consulting firm specializing in new development and refurbishment projects. He can be reached at jrock@rockitgroup.com.

©2012 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.


Industry Examples: Reported Breaches
The annual reports from the various PCI Security Counsel certified forensic firms are out, and as predicted, the restaurant and hotel industries feature prominently in the statistics related to breaches and targeted industries. However, what has not been focused on are the third-party application and system providers who service the industries. While most news reports have focused on hotels or hotel companies breached, there has been little or no press on the third-party solution providers who service hotels. While most third-party solution providers have not suffered breaches to date, here are some notable exceptions.

In December of 2011 there was a report of iBahn suffering a breach. Bloomberg reported that a skilled group of hackers based in China, which U.S. investigators have called ‘Byzantine Foothold,’ attacked iBahn. The alleged breach “may have let hackers see millions of confidential emails, even encrypted ones” from executives staying in hotels using iBahn’s network, Bloomberg reported. This was denied by iBahn.

In a written statement, iBahn said it was aware of the allegations in the news report but it had not found proof of any breach on the iBahn network. While iBahn’s network may not have been breached, the idea that hackers may be targeting hotel Internet access networks is cause for concern and suggests the steps that hotels must take to ensure that these networks are secure and separated from operational/administrative networks.

Epsilon is reportedly one of the world’s largest email marketing services companies in the United States, with over 2,500 clients including seven of the Fortune 10 sending over 40 billion emails annually, according to Security Week. In April 2011, there was a data breach at Epsilon which affected a number of hotel chains including Hilton, Ritz-Carlton and Marriott. The announcement, which was reported by Security Week and others, stated that the breach specifically affected information associated with the Marriott Rewards, Ritz-Carlton Rewards and Hilton electronic marketing programs. Subsequent reports revealed that the information that was compromised was limited to email addresses and possibly names. While this may not represent a serious compromise, the fact that it happened at all should be a concern. Email addresses in the wrong hands can be dangerous as it can likely lead to phishing scams and additional personal information being compromised.

In April 2012, Choice Hotels reportedly notified the appropriate state agencies in both California and New Hampshire of a data breach affecting residents in those states. Choice Hotels submitted a breach letter (posted on the state agency’s website) explaining that sensitive customer information, which included credit card numbers, drivers’ license numbers, passport numbers, Social Security numbers or a combination of these, were not entered into encrypted fields in the database of the reservation systems. As a result, the sensitive data wasn’t protected (or encrypted), and was passed along to the company’s marketing partners where it was inadvertently printed on marketing envelopes mailed to customers. Choice Hotels claimed that less than 0.001 percent of guest stays were affected. The breach was discovered in December 2011, and the company immediately stopped using the database for marketing purposes.

The bottom line is that while most companies' and hotels' data security strategies revolve around the systems and data storage that they control, additional focus needs to be placed on third-party solution providers, who in many cases have access to or control guest and company data that also has the potential to be compromised. It is important to note that while these companies may suffer the breach, it is the hotel or hotel company that is most damaged by the ensuing fallout that occurred following these incidents. 

Bring Your Own Device (BYOD)
BYOD is part of the new data security challenge as more employees and associates are running applications or accessing corporate or hotel administrative networks on their own personal phones and devices. It is not only a question of providing a secure environment for these devices, but it also raises the challenge of how IT controls or removes these applications and access once an employee is no longer with the organization. Corporate and company policies must be developed to address the problem and ensure that the security and integrity of company data is maintained.

The other issue is that most IT apps are built for standardized platforms; BYOD is inherently non-standardized, and unless standards for the deployment and use of applications and access for these devices are established, they will represent a security threat to the network and the data they can access.

Below are some of the challenges associated with BYOD.

How do you manage devices in the enterprise? With limited access to these personal devices, it is difficult to manage their operating systems and security protocols. Everyone has access to email and it is difficult to enforce data security policies on a device that is not owned by the company. If a person decides to leave the company you cannot, for example, wipe the device.

How do you support the device? There are no standardized protocols and each device and firmware is different. The cost of supporting these devices goes up as the IT department has to work with and troubleshoot devices that they are unfamiliar with or have to work with a third-party provider to resolve communication and connectivity issues, not to mention compatibility concerns.

It is difficult to prevent the loading of applications and sensitive data on devices. Once employees have access to applications and company-owned data it is difficult to prevent the data from being compromised.

It is often difficult to implement security protocols on personal devices that are not equipped to handle the company-sponsored security initiatives.

Personnel will typically load applications and access personal information on these devices. As such, it’s difficult to ensure the integrity of the devices and the information that is being accessed not only by the employee but also potentially family members and friends.

The biggest concern remains how a company accesses and retrieves this information when the employee leaves a company.

Suggestions for managing BYOD:

  • Enforce a complex passcode with history, expiration and grace periods, and ensure that employees implement and follow strict password policies and procedures for their own devices.
  • Require users to enable hardware-based encryption by turning on data protection where feasible on the device.
  • Restrict applications such as Siri, camera, Safari, other apps as well as functionality on Apple devices.
  • Define browser settings, whitelist/blacklist sites and kiosk modes.
  • Detect compromised (jail broken) devices and protect corporate assets where possible.
  • Set up compliance rules and actions if users download unauthorized apps.
Security Quiz

Test your knowledge. Answers are found below.
Data Security Quiz
1. By implementing tokenization and/or data encryption, my systems will be secured and our hotel won’t be at risk as the data will either reside offsite or won’t be decipherable.
a. True  b. False

2. By outsourcing my applications and systems to a third party or a cloud provider, my hotel will be protected from the ramifications of a potential data breach.
a. True  b. False

3. The scope of a data security assessment may be reduced by implementing proper segmentation in an effort to protect personally identifiable information (PII) data.
a. True  b. False

4. Which password is the strongest?
a. Snoopy
b. Lucy51
c. CharlesMSchultz
d. Mydog&isnamedSnoopy

The Smartphone Security Quiz
1. How many active smartphones units are active in the United States in 2011?
a. 2 Million
b. 20.6 Million
c. 192.4 Million
d. 111.5 Million

2. What percentage of smartphones employ antivirus protection?
a. 1 percent
b. 99 percent
c. 20 percent
d. 0 percent

3. How many users did Android™ malware infect last year?
a. 20,000
b. 250,000
c. 2.5 Million
d. 20 Million

4. What was the percentage increase of smartphone malware cases in the first quarter of 2012 over 2011?
a. 389 percent
b. 967 percent
c. 1,200 percent
d. 156 percent

5. Drive-by hacking is a type of security breach that occurs most commonly on what device?
a. A mobile device
b. A server
c. A desktop computer
d. A firewall
Security Quiz answer key:

Data Security Quiz: 1) F, 2) F, 3) T and 4) D.
Answers explained: Question 1: False – While tokenization and data encryption are highly recommended as part of an overall data security initiative, a complete data security strategy still needs to include other elements such as secure firewalls, network segmentation, file and intrusion detection, among other key factors. Question 2: False – while the idea of cloud-based applications and solutions is appealing, there are still other security considerations that need to be addressed including remote access and ensuring the correct policies and procedures. Cloud-based solutions still need to be evaluated by the various security governing entities and there is still a risk that their systems could be breached. Question 3: True – Segmentation is one of the key recommendations when implementing an effective data security strategy. Question 4: Option D is the strongest – Passwords should be greater than six characters, upper/lower case, special characters (i.e., &^%$#@!{}). This is the strongest because it has a combination of a very long password, upper/lower case and special characters. Phrases are also easier to remember, but harder to crack. However keep in mind in many UNIX systems passwords are maximum of eight characters. For example, if you use the password abnormal1 this will drop or ignore the last character. In addition, using a digit before or after a word is insecure.

The Smartphone Security Quiz: 1) D, 2) C, 3)B, 4) C and 5) A.
Answers explained: Question 1: 111.5 million – and growing! Question 2: 20 percent – With more and more people using smartphones to access secure networks this is a problem. Question 3: 250,000 – With Android gaining fast market traction this is something that will need to be addressed. Question 4: 1,200 percent. Question 5: Drive-by hacking most often occurs when a user connects to a public network that isn’t properly secured. As such this usually involves mobile devices such as laptops, tablet devices and smartphones.

Articles By The Same Author

Related Articles
want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.