Untitled Document
 
Wednesday, March 10, 2010
Home
News
       CISO News Feed
       Upcoming Conferences
       Newsletter Archive
Resources
       CISO Security Links
       Project Manager Security
       Security Program Development
          Security Program Considerations
             Organizational Drivers
             Security Strategy
             Mission & Mandate
             Roles & Responsibilities
             Security Policies
             Security Project Portfolio
             Training & Awareness
          Statistics & Metrics
          Regulations
          Ask The Experts a Question
       Glossary and Definitions
Publications
Research
       Security Stress Survey
       New Security Survey
Tools
       Security Program Review 
Community
About Us
Contact Us
 You are here: Admin Tools * RSS Feed   Search
CISO/CSO Security- Securing the Hospitality Industry…What’s the Hold-up?

CISOHandbook.com

By Ron Collette, CISSP & Mike Gentile, CISSP

ron@cisohandbook.com, mike@cisohandbook.com

 

With so much recent attention on the exploitation of major hotel and resort chains, we felt that we should take a closer look at the causes and potential solutions to the problem.  We have had the opportunity to work with several resorts over the last 12 months and wanted to share some distinct commonalities related to security that we experienced.  The objective of this article is to reveal the issues and present practical solutions to address them.

Issues and Concerns

 

The goal of almost any hotelier is to provide the best experience possible for their guests; from the moment they arrive to their time of departure. This is the overriding concern that drives the hospitality industry.  Whether it is a speedy check-in, prompt and courteous delivery of room service, or simply the emptying of ash trays; everything is guest-centric with an emphasis on the speed and quality of delivery.  This issue affects security in that the definition of this function, as understood by many within the industry, is mutually exclusive to fulfilling this primary objective. Many believe that security safeguards slow down the ability of the hotel staff to provide the aforementioned service.

 

The next issue is the industry specific applications that are available to support the resort in delivering service.  Hotel specific applications such as property management, point of sale, spa, in room services, etc are primarily produced by a small group of specialized product vendors that have access to a captive market. This hase been primarily caused by the nature in which these various applications need to interact with each other at the resort to provide a seamless array of services to guests.  Such specialty presents a barrier to entry for competition producing a limited number of vendors; many of which are not always motivated or capable to modernize their products with the inclusion of standard security controls.  Additionally, many resorts highly customize these applications to provide their unique level of service making it difficult to upgrade their applications; even when the vendor has a new version.

 

Another factor with larger hospitality chains is the nature and structure of their information technology operations.  The majority of IT operations are centralized with most of the critical technical functionality being housed at that one location.  This functionality often includes e-mail, domain services, as well as the critical elements of hotel specific applications such as property management.  With this centralized model, it is common for the majority of senior IT personnel to be congregated at the central location with more junior staff at each resort location. The problem with this arrangement is that there are still critical systems and functions that are operated at the local resort level.  The security of these items and the access they provide to sensitive data is usually left to junior IT personnel with little if any specific training in information security.  This is compounded by the increase in the number of technical services that are offered to guests by most resorts.  These items include services such as wireless internet, in-room account information systems, and robust business centers.  Even when these systems are outsourced to third parties, which is common, their proximity to the resort and its infrastructure results in additional burden and risk to the local hotel network and support team. Lastly, many resorts do not have a structured security program with the associated policies and procedures that can be adhered to; leading these junior technicians and personnel to fend for themselves.

 

Under circumstances where a resort has a formal security program, they generally lack elements that would be required to have an affective security strategy; focusing on issues that are solely associated with the physical security.  This returns us to the definition of security as understood by the hospitality industry.  This limited view misses the three other required components to have a comprehensive security strategy: people, process, and technology.

 

The final issue that will complicate the ability of resorts to provide a secure environment is the increased technical capability of our society.  This includes both the guests, as well as the perspective hacker community.  The nature of business today mandates the use of technologies to extend the capabilities of the organization to anywhere that an employee travels. Internet connectivity is no longer considered a luxury, rather is an expectation of any business traveler within the United States.  Nothing is worse for a resort than a bored business traveler, who has some technical capability, sitting in their room with a laptop. This circumstance will turn just about any of us to “The Dark Side.”  The other situation that is presented to resorts is the “Black Hat” Hacker.

 

Recent hacker conventions have focused on the lack of security within the hospitality space.  It’s no longer a secret, nor is it merely for a lark.  This target has been identified as profitable and soft; low risk and high potential for reward.  This is not the reputation that any industry needs!

What Can Be Done

 

·         The hospitality industry needs to understand that they have been targeted!

·         Smaller hotels should employ a documented security strategy. Larger hotel chains need to develop a strategy along with a full security program to implement the strategy that addresses risk reduction for people, process, technology, and facilities.

·         Training & Awareness programs for all hotel employees.

·         Take the time to perform a risk assessment prior to the deployment of any new technology.

·         Hotels need to develop their own application security requirements and insist that the specialized software vendors meet them.

·         Hotels need to stop treating back-office operations as an after-thought.

·         Shorten the service life of antiquated hardware and software.

Conclusion

 

The exploitation of information systems for the hospitality industry has been highly prevalent in recent news. Resort chains that are household names have had to report that thousands of their guest’s personal information has been exposed unintentionally. Unfortunately, this trend will continue until the industry demonstrates that it is ready to address security seriously.  


Posted on Tuesday, March 28, 2006 (Archive on August 14, 2006)
Posted by CISOHandbook.com
Return
  
 
 
 
   Privacy Statement  |  Terms Of Use
Copyright (c) 2010 CISO/CSO Handbook