Tech Talk

Recent posts

A great deal has been written over the years about the viability of moving a hotel’s property-management system (PMS) to the cloud to take advantage of the latest technologies, but hoteliers need to realize that it’s not the only viable option. All platforms have advantages, including self-hosted, private cloud and on-premise solutions that leverage the latest mobile, contact free and web-based technologies. Independent operators can still enhance the digital guest experience, support personalized and mobile check-in, deploy contact free technologies, and secure hotel/guest data even if their PMS does not reside in the cloud. It should not be a question of “Cloud or On Premise?” but rather “Does the PMS solve your business objectives in both technology and service?”

Much has been written in the mainstream hospitality press about the challenges COVID-19 has presented to the industry. Hotels are in more pain than at any time in our memories. Because of the extensive media coverage, I won’t dwell on this topic further in what is primarily a technology column. But it’s the background for this week’s column, and so merits acknowledgement.

Are You All In?
Posted: 07/27/2020

Imagine everyone in your organization engaged, aligned, and performing to their potential. Imagine everyone playing “All In.”

Great organizations have synergy. Their culture allows them to play to a rhythm at a different tempo than the average organization. How do you get that at your organization?

Many front-line hospitality workers rely on tips for a significant part of their paychecks. If not for tips, many hotel associates who serve as waitstaff, bartenders, housekeepers, bell staff, concierges and pool attendants would soon be looking for other jobs. This is a regional issue: in most of Asia and Europe, staff get higher base pay, and tips are either not expected at all, or are truly discretionary. But in the U.S., Canada, Britain and other countries, tips are an important reality, and one that’s not likely to change anytime soon.

As somebody who’s helped to grow a company from 13 people to nearly a thousand, I know very well the excitement that comes with having a mindset focused entirely on growth. Every newly acquired customer, every new office and every milestone means the gap between you and your nearest competitor is that much bigger and that much harder to overtake.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.


Verizon's 10th Annual Data Breach Investigations Report Details the Changing Cyber Threat Landscape

by Ron Hardin

In the 2017 Data Breach Investigations Report (DBIR) just released, Verizon presents a detailed picture of the nature of cybercrime in the past year. Now in its 10th year, the DBIR provides analytical insight on information from 65 organizations encompassing 42,068 incidents and 1,935 breaches from 84 countries. The key takeaways are troubling, if not necessarily surprising:

  • Cyberespionage – driven by state-sponsored, corporate or organized-crime actors – is on the rise; now 21% of all cases analyzed, primarily targeting manufacturing, public sector and education organizations.
  • Ransomware attacks have doubled from previous year – now the 5th most common malware category, up from 22nd in 2014. Ransomware is now categorized as a “prevalent” type of malware.
  • People remain the soft target in the threat landscape. E-mail phishing is still the “go-to technique” for hackers, linked to 95% of malware installations on user computers. 43% of all data breaches used phishing.
  • Pretexting is on the rise. In this technique, the bad guys use fake e-mails or phone calls, usually targeting finance and accounting employees, attempting to trick them into wiring money, paying fake invoices or providing sensitive information such as employee W-2 data.
  • Smaller organizations are more likely to be targets: businesses with fewer than 1,000 employees were victims in 61% of the breaches analyzed.
  • Organizations are still struggling with the most basic security process – changing and protecting passwords. 81% of all breaches leveraged weak, default, or stolen passwords.

This year’s Verizon report makes the statistical analysis of breach data more actionable for businesses by providing key insights by industry segment, including the Accommodations segment (lodging and restaurants). The good news is that the hospitality industry is no longer the primary target for data thieves: Accommodations and Retail combined represent only 15% of all breaches. Top honors this year go to the Financial segment, with 24% of breaches affecting financial organizations.

The bad news for hospitality operators?

The vast majority of breaches still involve theft of cardholder data from POS systems, and time-to-detection is still measured in months. The report states, “The hospitality industry continues to be inhospitable, at least when it comes to POS breaches, which continue to be as ubiquitous and unsatisfying as the continental breakfast. While hotels likely come to mind first, restaurants also fall into this industry and comprise the majority of the victim population. Often food service victims are smaller businesses without IT departments, CISOs etc., but they do accept payment cards and are therefore a target for opportunistic attack.”

Of the 206 hospitality breaches analyzed, 87% involved POS systems, and all of those breaches utilized either malware, hacking, or both. Threat actors were almost all (96%) external players, usually criminal organizations. The truly depressing statistic is breach timelines. Verizon quotes The Eagles on this point, from the song Hotel California: “You can check out any time you like, but you can never leave.” On average, time-to-compromise is measured in seconds, time-to-exfiltrate – get stolen data out – is days, but times to discovery and containment are still measured in months. Detection of breaches in hospitality rarely occurs from internal security: 85% were detected by external fraud investigations, followed by 4% from law enforcement.

So, what should organizations be doing?

Clearly, many hospitality operators need a more effective information security plan (see article in the Spring 2017 edition of Hospitality Upgrade: Information Security: We’re Doing It Wrong). The Verizon DBIR highlights several recommendations that should be part of your plan for improving security:

  • Implement better anti-malware defenses. Malware was involved in 94% of breaches in hospitality.
  • Manage passwords. Don’t use default or easy-to-guess passwords. Don’t use the same password for multiple resources. Don’t share passwords. Don’t allow passwords to go unchanged for long periods.
  • Fortify remote access, particularly to POS systems. Only allow connections from known sources, and use multi-factor authentication for access, which combines something you know (i.e., user id & password) with something you have, like a cell phone, or something you are, like a fingerprint.
  • Patch promptly and consistently. Everything requires maintenance, and computer software is no different. Not keeping server and terminal software updated leaves exposed vulnerabilities that the bad guys can leverage in an attack.
  • Train your users in security awareness. Teach them about phishing, pretexting, and other social-engineering attacks. Encourage them to report anything out of the ordinary. Verizon points out that even a change in system performance or unusual error messages could be an indicator of compromise.
  • Know what you’re dealing with. Research the threat environment by reading the Verizon DBIR, the associated Verizon Data Breach Digests, and other security publications. The bad guys are studying you – you should be studying them, too.
About The Author
Ron Hardin

Ron Hardin is an independent technology consultant. He can be reached at

Blog post currently doesn't have any comments.
Leave comment

 Security code