Employees come and go, and each one is a data security risk without the proper training and procedures in place to protect guest and proprietary information.
REPORT FROM THE U.S.—In the hotel industry, there’s a great deal of employee turnover. New hires start behind the front desk, having direct contact with guests’ personal and credit card information. Employees leave, sometimes for jobs outside of the industry, other times for a competitor. Sometimes companies have to fire someone, who could harbor a grudge against their former employer.
A company’s data security system is only as good as the people who use it. With so many people who come and go at a company each year, the risk of a data breach increases for companies without preventative policies and procedures in place.
Maintaining data security starts at the beginning, said Stephen Bono, founder of security consultancy Independent Security Evaluators. When hiring a new employee, conduct an extensive background check, he said, one that’s as extensive as practical. It’s not worth saving a little bit of money by only checking out a person’s past five years, he said.
“I’ve seen companies in situations where five years reveals nothing of importance when seven years shows the person has done time,” he said.
Once employees come aboard, train them in basic security practices, Bono said, and don’t assume they received security training at their last job. Show them what to click, what not to click and how to identify scams, he said. They need to know how to use the software, who does what at the company and where the data they can access is. They should also know where the data they aren’t allowed to access is to avoid accidents, he said.
Marsha Cannon, director of human resources at LBA Hospitality, said the associate handbooks new employees receive have clear policies. During training, the supervisors make sure new hires understand the importance of keeping guest and proprietary information confidential, she said.
Part of the training also informs new employees they are to only conduct company business on company equipment, she said, and they are not allowed to visit outside websites unrelated to the job.
When new employees have passed the background check and received the proper training, Bono said the IT department should know who the new employees are and what level of access they should have.
“Don’t give access to information until the employee has completed all that and gone through the requisite training,” he said.
New GMs hired by LBA receive access on their first day of work, Cannon said, but they shadow another GM for their first few weeks. The hiring manager lets them know what systems they have access to, gives them their passwords and has IT provide access so they can start working immediately.
Leaving on good terms
When an employee leaves a company for another job, the company should conduct an exit interview to gather information about the employee that is otherwise not documented, Bono said. The exit interview can go over what equipment the employee has, what copies of keys he or she has as well as any accounts used. Along with this, IT should have a checklist to run through to see what the employee had access to and catch any loose ends.
IT should disable passwords and access pathways and change PINs, Bono said. One often overlooked area is employees’ access to phone and video conference lines, he said. Similarly, some former employees might still have active account sessions that need to be terminated if they remained logged in and the sessions don’t automatically time out.
“Every piece of software, web application, cloud service—it’s up to IT or the security department to keep track of how to revoke sessions for ex-employees,” he said.
When an employee provides two weeks’ notice when resigning to leave for a competitor, the supervisor would likely thank them for the notice but let the employee leave immediately and then terminate that person’s access, Cannon said. That practice is shared with employees when they are hired so it’s not a surprise for them, she said.
Hotel Equities switched to cloud-based support for its corporate office and properties five years ago, said Jeff Shockley, VP of asset management and operations. The creation of its own private internal network has improved security for the company’s sensitive information, he said.
Part of that added security is a smartphone app that allows an outgoing employee’s password to be instantly changed, he said. An email then goes to that person’s direct report to cut off access to the company’s intranet and employee’s work email. The corporate administrator then terminates that employee’s access to brand portals and other internal sites.
Along with this, employees with any physical assets, such as a laptop issued to the GM or director of sales, must return them. After a GM quits, the company immediately brings in a locksmith to change the combinations on the property’s safes, Shockley said.
The procedure for revoking access to a company’s systems when an employee is fired should be 99.9% identical to when an employee resigns, Bono said. When an employee is terminated, there’s likely bad blood and a higher risk of retribution, he said.
“You should definitely, once an employee is terminated, immediately begin security audit procedures,” he said. “Don’t wait for the next cycle. Start now, especially in regard to any systems the person had access to. There should be no lingering accounts the person would have access to. Make sure there’s nothing malicious installed on their machines. Monitor for logins from the ex-employee.”
Termination notices immediately go out through LBA’s distribution list, Cannon said. The hiring manager meets with terminated employees and escorts them to remove their belongings, she said, and the manager collects any company property at that time.
There is lead time ahead of an employee’s termination, Shockley said. Hotel Equities is able to cut off access to everything almost simultaneous to that employee walking into an office to speak with HR, he said.
Years ago, directors of sales would store their sales databases on the C drive of their laptops, he said, so a fired director of sales could potentially do a lot of damage if they still had possession of the computer.
“We switched to the cloud to secure all of our data,” Shockley said.