Most hotels are riddled with security gaps. But I’m a glass-half-full kinda guy. The good thing about that is the issues that plague the industry are also simple to fix.

The following palm-to-the-forehead scenarios are actual examples of what I’ve personally witnessed while conducting security audits onsite around the world. Hopefully you can take these face-palm events and turn them into fist pumps of security-inspired success.

Password123? Sure, that seems secure.
When those geeky (albeit somewhat intelligent) IT guys come to install your point-of-sale terminal (POS), property management software or router, they usually set up a default password… and then they leave.

Indeed, Merriam-Webster’s definition of default is, “a selection made usually automatically or without active consideration.” Hear that? Without active consideration! Guess who else knows the default passwords for every single piece of software or hardware out there? Google. Courtesy of its billion online contributors, of course. The default password to your POS system is online, right now, merely a Google search away.

In a forensic investigation that my colleague conducted, 28 separately owned restaurants were hacked because one careless POS installer accidentally saved his client list in the POS installation files. How did this hackfest begin? It all started with one POS system’s unchanged default password, easily guessable by hackers everywhere.

This brings up a huge grey area in hospitality: the unclear delegation of security obligations between franchisors and franchisees. Often, the franchisor (or a franchisor-appointed third party) makes the decisions (including password decisions) and the franchisee follows… blindly.

Here’s the problem with franchisor-controlled security. You are responsible for security. You are responsible for Payment Card Industry Data Security Standard (PCI DSS) compliance. You are responsible when your franchisor-appointed third party sets a default password and you forget to change it. It’s you who is liable in the event of a breach. No franchisor or IT guru in the history of ever will pick up that tab.

If this sounds familiar, it’s time to have a long conversation with your franchisor.

A binder chock-full of credit cards just for me? You shouldn’t have.
Raise your hand if you keep a binder full of scanned credit card images somewhere behind the front desk for easy reservation access. If you do, take that raised hand and smack your forehead. Do you realize it only takes one patron, disgruntled employee or stranger to casually slip that convenient binder under his trench coat and walk out the door with thousands of credit cards, free of charge?

As per the PCI DSS, you aren’t supposed to store sensitive information (like payment card data) out in the open. Case closed. It’s time to find a different way to store patron payment information.

Now that we’ve covered physical storage of credit cards, did you know 63 percent of businesses store unencrypted credit cards on their business networks? In all likelihood, 16-digit card numbers swiped by your employees are not adequately protected. Besides being completely against the PCI DSS, unencrypted card data makes it easier for criminals to steal data and sell it on the black market for a huge profit.

How do you know if your organization is one of the 63 percent? Simple. Download a card data discovery tool (such as SecurityMetrics PANscan), to check your network for anything that may resemble card information so you can securely identify, delete and fix the problem. That process will greatly decrease the amount of damage a criminal may do to your business if you are compromised.

Updates? Ain’t nobody got time for that!
When was the last time you updated your operating systems? Please don’t tell me you’re still using Windows XP… What about the last time you updated your POS software? Your Internet browser? Your apps? Your mobile devices?

When it comes to updates, it seems like every man, woman and child thinks, “Updates? Ugg! I don’t have time for that right now!”

Did you know security is the number one reason to continue updating to the latest version of any system software? Criminals search for new weaknesses every day, and if systems aren’t updated regularly, these individuals may easily be able to find holes that allow them into your system.

Technically, problems that require hurried updates aren’t your fault. It’s the fault of the POS provider, the application creator or the software coder. But, if you don’t take the time to install the update they provided, you can (and will) be liable for your lazy updating practices that result in a data breach.

“That’ll be $460, sir. Now let’s print off your itinerary…”
You may have read this section in a recent Hospitality Upgrade blog post, but if I’ve said it once, I’ve said it a hundred times: don’t use front desk computers that browse the Internet to also accept credit card transactions. This is one of the worst security decisions a business could make.

What happens if the innocent employee, with no formal security training, accidentally clicks on a malicious link while browsing the Internet? That malicious link could secretly download malware or install a virus onto the machine. Depending on the malware installed, every single customer credit card transaction made on that computer (and perhaps on the entire local network) could be at risk.

The solution to the hotel front desk dilemma is simple. Segment. Dedicate one machine to take credit cards, and dedicate any others for customer service use. Machines used to take credit cards should have no access to the public Internet, and machines that have access to the Internet should not have access to the POS system.

Say a customer pays with a credit card on the dedicated machine while checking in, then asks about restaurants in the area. The front desk clerk would physically need to move to the other computer placed on a separate network segment used for Internet browsing. See? That wasn't too hard!

Yes, children could hack you.
Ok, so there’s not a huge influx of evil hacker children swarming the globe right now. But, “script kiddies” are becoming a very disturbing trend. The availability of readily accessible hacking-made-easy tools has swelled the ranks of these childlike, but effective, hackers. An amateur with a grade school computer education can often hack a poorly defended business network in minutes after downloading free hacking templates on the Web. 

Even though these hackers may be amateurs, their success rates are increasingly high, largely because businesses haven’t spent enough time making easy changes to safeguard their companies.

My point? Without effective security, more businesses will be attacked and compromised. Stop face-palming. It’s time to play hard to get.