Tech Talk

Recent posts

Definitely Doug 12/8/23: Top 5 Hotel Technology Trends from 2023
Posted: 12/08/2023

Technology in the hotel industry does not change quickly. Every year, we see a few new ideas emerge. Some turn out to be fads and never get much traction. Many others get a fair amount of adoption, but only within certain niche markets. Only a few really start to take hold. Today I will assess which of the new technologies that have emerged in recent years are likely to be in this last (and most important) category, recognizing that they can still take years (often decades) to work their way through the industry.

Read More +

Definitely Doug 11/17/23: The Hotel TV Dilemma
Posted: 11/17/2023

In case you missed the memo, people no longer watch television the way that they did ten years ago. Not at home, and not at hotels. Nielsen reported that streaming services cornered 34.8% of TV screen time in July 2022, when they overtook cable for the first time.

Property management systems (PMSs) fundamentally have changed very little since the 1980s. And many hotels still use systems that were built in the eighties, nineties, or aughts. Since then, massive technology changes have occurred: the mobile revolution, cloud computing, distributed ledgers, AI-based large language models, Web 3.0, and other innovations have fundamentally changed both the technological capabilities of software, the way it is designed and built, and expectations for user experience.

Read More +

Definitely Doug 10/20/23: Gluing It All Together
Posted: 10/20/2023

Hardly a day goes by that hotels do not express frustration about the inability to tie together key data sources and technology systems. This is not a new problem; it has been around for decades. Progress has been made on many fronts to be sure, but digitalization has created new issues much faster than solutions.

Read More +

What’s the Buzz Among Today’s Hoteliers?
Posted: 10/17/2023

What’s on the minds of hoteliers? What’s keeping them up at night? And what makes travelers happy and eager to return? Some of the best places to have these candid discussions are at the industry’s conferences and events, and this year’s lineup has not disappointed. From AAHOACON and BITAC, to HITEC and The Hospitality Show, I’ve been traveling steadily, attending 13 events since January.

Read More +

comment on this article

Who is Responsible for Securing Your IoT Devices? (Hint: It’s Not Just Device Manufacturers)

06/07/2018

by Dean Coclin

Consumers are growing more comfortable using smart devices at home and while traveling. Asking their Amazon Alexa, Apple Siri and other AI-enabled products to do everything from opening the front door, to turning on/off lights and playing music has become almost second-nature. There are even smart kitchen appliances that you can order to start making dinner while you’re on your way home. That means that offering similar experiences is becoming table stakes for the hospitality industry. However, realize that the more Internet of Things (IoT) devices you connect to your network, the more possible access points to your IT systems and data stores you open for cyber attackers. The onus is on you to harden your security posture, because for now at least, security is typically an afterthought among the device manufacturers.

That may sound ominous, and the risk is real. But I do not want to discourage you from deploying smart devices to create memorable guest experiences and improve customer service levels. In fact, if you haven’t started doing so, you are falling behind.

AccorHotels recently announced a smart room concept that leverages voice activation and IoT to transform the in-room guest experience. Features include a connected tablet guests use to adjust the room's lights, close/open the curtains, control all audiovisual equipment and even tilt the headboard. Similarly, some guests at Wynn Las Vegas can ask Amazon Alexa to control lights, room temperature, drapery and the television, and the hotel plans to add additional capabilities. Marriott is testing out voice-controlled systems in a number of its properties to serve guests who are more likely to search their smartphones for nearby restaurants instead of calling the concierge.

All smart devices, no matter what their functions, must connect to the Internet. That increases the risk of a data breach exponentially. To make matters worse, most were built without basic security principles in mind like device authentication, the ability to change default passwords, secure update methods and basic firewalls. Security is an afterthought, not a necessity, and that opens the virtual door to cybercriminals who are always looking for entry ways into the network.

Consider the findings of a recent survey by the Ponemon Institute and Shared Assessments Program. The resulting report entitled “The Internet of Things (IoT): A New Era of Third Party Risk” is not specific to the hospitality industry, but it does raise several red flags:

97 percent of respondents believe they will suffer a catastrophic IoT-related event within the next two years. 81 percent of respondents believe a data breach due to unsecured IoT devices is “likely.”

The report lists a number of reasons for this pessimism: the increase of IoT devices in the average workplace (nearly 25,000, up about 10,000 devices from last year); unsecure applications on IoT devices; and concerns over third-party contracts and control over the devices. And while the study found “some advances in third-party risk focused on IoT devices and applications from 2017, risk management in this area is still at a relatively low level of maturity.”

These findings should prompt you to ask two questions: Who would take advantage of such weaknesses in my network, and what damage could they cause? The answer to the former is anyone with motive and opportunity. Perhaps a disgruntled guest who happens to be a hacker. Or maybe a terminated employee with some computer skills. And the list of attacks is almost as broad.

The hacker can install “ransomware” like the WannaCry attack that crippled enterprise IT systems worldwide last year to lock out legitimate users until you pay a ransom. They can compromise the devices by installing firmware that turns them into remote-controlled bots. Then they can create a network of these compromised devices to create a “botnet” and launch a Distributed Denial of Service (DDOS) attack on an external target, or targets, like the 2016 Murai attack that took down several companies and educational institutions.

Your challenge is offering guests amazing experiences from IoT devices while maintaining your strong security posture. IoT devices create an expanded attack surface for the hospitality industry, which most properties are either unaware of or unprepared for. So, let’s examine what steps you can take immediately to ensure the safety and security of your IT systems, employees and customers.

Follow basic security protocols, like changing default passwords, and making sure to regularly update the firmware/software on all devices. You have (or should have!) these policies in place for any PCs, laptops and employees’ smartphones that connect to your network, and the same applies to IoT devices. Create and maintain an up-to-date inventory of all IoT devices so you know what you have in case of product recalls or manufacturer updates.

Ensure your IT department manages the devices, not a third party. In the event of a compromise, disconnect devices from the network and notify authorities as soon as possible. Do not power down until authorities tell you to do so.

You should only partner with manufacturers that take a “secure by design” approach to the development of their devices. That typically eliminates first-generation products and relegates you to only buy from vendors that have been in the market a while. The IoT industry is extremely competitive, with vendors rushing their products to market to beat their competitors. Make sure you do not sacrifice security for the sake of having the latest and greatest smart speaker or thermostat in your guest rooms.

Investigate how a vendor ensures the basic security requirements for data confidentiality, data integrity, and data accessibility. One effective approach is the incorporation of Public Key Infrastructure (PKI) using digital certificates. Digital certificates serve as the backbone of Internet security, even if you are not aware that you rely on digital certificates every time you browse the web.

Similarly, a PKI framework can provide assurances for IoT devices and the people who use them. This makes PKI a perfect match for the exploding IoT sector, providing trust and control at scale and in a user-friendly way that traditional authentication methods like tokens and passwords can’t do. Digital certificates used for mutual authentication can authenticate devices to other devices within or outside your networks, as well as authenticating users to devices behind the scenes with minimal-to-no user interaction. They enable safe authentication without the friction to the user experience that comes from user-initiated factors such as tokens and password policies. This protects all devices and networks from malicious actors, even if a data stream or data source were captured or compromised.

Digital certificates leveraging PKI also encrypt sensitive data to ensure only authorized parties can read messages in transit. Using code signing certificates, technical teams can securely patch IoT device firmware, including over the air updates in a similar fashion to how your smart phone gets updates. Code signing also enables secure boot of the device and the integrity of software to the device to protect against malicious files.

Be proactive in taking the necessary precautions before implementing any new IoT devices. Be sure to incorporate PKI into your IT security best practices and policies, and carefully vet any manufacturers before you source from them. You cannot force an IoT device manufacturer to adopt a “secure by design” mindset, but you can demand it of any that want to partner with you.