Tech Talk

Recent posts

A great deal has been written over the years about the viability of moving a hotel’s property-management system (PMS) to the cloud to take advantage of the latest technologies, but hoteliers need to realize that it’s not the only viable option. All platforms have advantages, including self-hosted, private cloud and on-premise solutions that leverage the latest mobile, contact free and web-based technologies. Independent operators can still enhance the digital guest experience, support personalized and mobile check-in, deploy contact free technologies, and secure hotel/guest data even if their PMS does not reside in the cloud. It should not be a question of “Cloud or On Premise?” but rather “Does the PMS solve your business objectives in both technology and service?”

Much has been written in the mainstream hospitality press about the challenges COVID-19 has presented to the industry. Hotels are in more pain than at any time in our memories. Because of the extensive media coverage, I won’t dwell on this topic further in what is primarily a technology column. But it’s the background for this week’s column, and so merits acknowledgement.

Are You All In?
Posted: 07/27/2020

Imagine everyone in your organization engaged, aligned, and performing to their potential. Imagine everyone playing “All In.”

Great organizations have synergy. Their culture allows them to play to a rhythm at a different tempo than the average organization. How do you get that at your organization?

Many front-line hospitality workers rely on tips for a significant part of their paychecks. If not for tips, many hotel associates who serve as waitstaff, bartenders, housekeepers, bell staff, concierges and pool attendants would soon be looking for other jobs. This is a regional issue: in most of Asia and Europe, staff get higher base pay, and tips are either not expected at all, or are truly discretionary. But in the U.S., Canada, Britain and other countries, tips are an important reality, and one that’s not likely to change anytime soon.

As somebody who’s helped to grow a company from 13 people to nearly a thousand, I know very well the excitement that comes with having a mindset focused entirely on growth. Every newly acquired customer, every new office and every milestone means the gap between you and your nearest competitor is that much bigger and that much harder to overtake.



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.

x
 

Who is Responsible for Securing Your IoT Devices? (Hint: It’s Not Just Device Manufacturers)

06/07/2018
by Dean Coclin


Consumers are growing more comfortable using smart devices at home and while traveling. Asking their Amazon Alexa, Apple Siri and other AI-enabled products to do everything from opening the front door, to turning on/off lights and playing music has become almost second-nature. There are even smart kitchen appliances that you can order to start making dinner while you’re on your way home. That means that offering similar experiences is becoming table stakes for the hospitality industry. However, realize that the more Internet of Things (IoT) devices you connect to your network, the more possible access points to your IT systems and data stores you open for cyber attackers. The onus is on you to harden your security posture, because for now at least, security is typically an afterthought among the device manufacturers.
 
That may sound ominous, and the risk is real. But I do not want to discourage you from deploying smart devices to create memorable guest experiences and improve customer service levels. In fact, if you haven’t started doing so, you are falling behind.
 
AccorHotels recently announced a smart room concept that leverages voice activation and IoT to transform the in-room guest experience. Features include a connected tablet guests use to adjust the room's lights, close/open the curtains, control all audiovisual equipment and even tilt the headboard. Similarly, some guests at Wynn Las Vegas can ask Amazon Alexa to control lights, room temperature, drapery and the television, and the hotel plans to add additional capabilities. Marriott is testing out voice-controlled systems in a number of its properties to serve guests who are more likely to search their smartphones for nearby restaurants instead of calling the concierge.
 
All smart devices, no matter what their functions, must connect to the Internet. That increases the risk of a data breach exponentially. To make matters worse, most were built without basic security principles in mind like device authentication, the ability to change default passwords, secure update methods and basic firewalls. Security is an afterthought, not a necessity, and that opens the virtual door to cybercriminals who are always looking for entry ways into the network.
 
Consider the findings of a recent survey by the Ponemon Institute and Shared Assessments Program. The resulting report entitled “The Internet of Things (IoT): A New Era of Third Party Risk” is not specific to the hospitality industry, but it does raise several red flags:
 
97 percent of respondents believe they will suffer a catastrophic IoT-related event within the next two years. 81 percent of respondents believe a data breach due to unsecured IoT devices is “likely.”
 
The report lists a number of reasons for this pessimism: the increase of IoT devices in the average workplace (nearly 25,000, up about 10,000 devices from last year); unsecure applications on IoT devices; and concerns over third-party contracts and control over the devices. And while the study found “some advances in third-party risk focused on IoT devices and applications from 2017, risk management in this area is still at a relatively low level of maturity.”
 
These findings should prompt you to ask two questions: Who would take advantage of such weaknesses in my network, and what damage could they cause? The answer to the former is anyone with motive and opportunity. Perhaps a disgruntled guest who happens to be a hacker. Or maybe a terminated employee with some computer skills. And the list of attacks is almost as broad.
 
The hacker can install “ransomware” like the WannaCry attack that crippled enterprise IT systems worldwide last year to lock out legitimate users until you pay a ransom. They can compromise the devices by installing firmware that turns them into remote-controlled bots. Then they can create a network of these compromised devices to create a “botnet” and launch a Distributed Denial of Service (DDOS) attack on an external target, or targets, like the 2016 Murai attack that took down several companies and educational institutions.
 
Your challenge is offering guests amazing experiences from IoT devices while maintaining your strong security posture. IoT devices create an expanded attack surface for the hospitality industry, which most properties are either unaware of or unprepared for. So, let’s examine what steps you can take immediately to ensure the safety and security of your IT systems, employees and customers.
 
Follow basic security protocols, like changing default passwords, and making sure to regularly update the firmware/software on all devices. You have (or should have!) these policies in place for any PCs, laptops and employees’ smartphones that connect to your network, and the same applies to IoT devices. Create and maintain an up-to-date inventory of all IoT devices so you know what you have in case of product recalls or manufacturer updates.
 
Ensure your IT department manages the devices, not a third party. In the event of a compromise, disconnect devices from the network and notify authorities as soon as possible. Do not power down until authorities tell you to do so.
 
You should only partner with manufacturers that take a “secure by design” approach to the development of their devices. That typically eliminates first-generation products and relegates you to only buy from vendors that have been in the market a while. The IoT industry is extremely competitive, with vendors rushing their products to market to beat their competitors. Make sure you do not sacrifice security for the sake of having the latest and greatest smart speaker or thermostat in your guest rooms.
 
Investigate how a vendor ensures the basic security requirements for data confidentiality, data integrity, and data accessibility. One effective approach is the incorporation of Public Key Infrastructure (PKI) using digital certificates. Digital certificates serve as the backbone of Internet security, even if you are not aware that you rely on digital certificates every time you browse the web.
 
Similarly, a PKI framework can provide assurances for IoT devices and the people who use them. This makes PKI a perfect match for the exploding IoT sector, providing trust and control at scale and in a user-friendly way that traditional authentication methods like tokens and passwords can’t do. Digital certificates used for mutual authentication can authenticate devices to other devices within or outside your networks, as well as authenticating users to devices behind the scenes with minimal-to-no user interaction. They enable safe authentication without the friction to the user experience that comes from user-initiated factors such as tokens and password policies. This protects all devices and networks from malicious actors, even if a data stream or data source were captured or compromised.
 
Digital certificates leveraging PKI also encrypt sensitive data to ensure only authorized parties can read messages in transit. Using code signing certificates, technical teams can securely patch IoT device firmware, including over the air updates in a similar fashion to how your smart phone gets updates. Code signing also enables secure boot of the device and the integrity of software to the device to protect against malicious files.
 
Be proactive in taking the necessary precautions before implementing any new IoT devices. Be sure to incorporate PKI into your IT security best practices and policies, and carefully vet any manufacturers before you source from them. You cannot force an IoT device manufacturer to adopt a “secure by design” mindset, but you can demand it of any that want to partner with you.
About The Author
Dean Coclin
Senior Director of Business Development
DigiCert


 
Comments
Blog post currently doesn't have any comments.
Leave comment



 Security code