With all the news and information we are pummeled with daily, it’s hard to ignore the significance of cyber security and its role in protecting enterprises and individuals. It’s even pretty easy to ignore until it happens to you. I have written and spoken about the challenges in the hospitality industry before, and they remain a big target for a few big reasons.
Many hotels, even ones with a big-brand name on the facade, are owned and operated by individual companies and investors. Joe’s Hotel Group buys the building, hires the employees, and plugs into GiantHotelChain’s reservation and reward system. Many hotels are wide-reaching properties where everywhere you go you have an opportunity to perform a transaction (pay TV, internet, bar, minibar, restaurant, rentals, and excursions to name a few). Since you are on-property, you have the option to pay using the stored payment information on file which sets up a huge opportunity for bad things to happen. Some properties are completely standalone, and others are mini-chains of properties, all subjected to the whims of an underfunded IT department and aging hotel management systems. As an example, I checked into a prominent hotel Tuesday in Chicago and leaned over the counter to see a curses-based (i.e., text like a dumb terminal) hotel management interface.
Speaking of loyalty programs, many of these store a surprisingly large amount of information on their members, including payment information on-file. The major chains differ in how they protect this information, but in many cases, a simple username/password combination is all someone would need to start combing through a loyalty program database. Here’s where behavior-based detection really comes into play as someone using a valid credential doing “valid” operations may not show up on the radar.
Another problem, which is not limited to hotels, is the limited number of point of sale systems and integrators that install them. If you know one particular grouping of hotels that uses a particular POS installed by a particular integrator, you can almost guarantee with certainty that if you compromise one property, you can compromise them all. Depending on how lazy the integrator is, you might even be able to compromise more of his customers just by looking on his website to see who he touts as customers. This problem is common among franchise communities and even verticals (if I compromise Restaurant 1, can I compromise Restaurant(s) n that run the same systems?). Hospitality environments aren’t necessarily IP-rich, but it certainly is a PII-rich environment with a number of options to access the information both on-prem and off.
If you are in this industry, how do you deal with this big target on your back? Especially those of you that don’t have high-dollar IT budgets and nifty tools to secure your environment? As with most challenges, you have to understand both the problem and its scope before you know how best to proceed. Understand how your business collects information and how it is used. Invest time learning how your POS system operates and do basic things like change default passwords, disable always-on remote access, run a current anti-virus program, install patches, and ensure your firewall adequately protects both inbound AND outbound traffic. Surprisingly enough, most breaches in this space are happening because those five elements are left open, including breaches you see in the news. That’s the blocking and tackling we’re talking about. Once you have these controlled, you can start to ask harder questions like “How do I find bad guys in my environment BEFORE they steal data?” and “Why am I storing, handling, processing this data anyway?“
Possibly Related Posts:
- Level Up Cybersecurity with Kasm Workspaces
- Let’s Encrypt for non-webservers
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- PCI DSS 4.0 Released plus BOOK DETAILS!
- Preventing Account Takeover, Enable MFA!
 
					 
				