Data security expert John Bell shares insights into what hoteliers should be thinking about to avoid potential breaches.
BELTSVILLE, Maryland—Data security should always be top of mind for hoteliers, but that’s even truer today after revelations of significant security breaches in computer processors.
Hotel News Now reached out to data security expert John Bell, the founder and president of Ajontech and long-time technology expert in the hotel industry, to get some insights on what hoteliers should be thinking about with cyber security.
Hotel New Now: What are the biggest security issues in the hotel industry heading into 2018?
Bell: “It seems to me we are always talking about payment security, and because of the new European (General Data Protection Regulation) law that goes into effect later this year, there is a lot of talk about how to properly handle private information. Another concern, because we have seen some spectacular events in 2017, is ransom-ware attacks. A ransom-ware attack on a hotel’s (property management system) or (central reservation system) could devastate a hotel company.”
HNN: What is something hoteliers/businesses should be paying more attention to?
Bell: “The basics, limiting access to core systems, regular backups, segregation of data, validated monitoring. These can’t be ignored.”
HNN: What general approach do you suggest for data security in 2018?
Bell: “In general, my approach is based on principles; number one is security first. It is not about compliance with rules like (Payment Card Industry Data Security Standards); it is about securing and protecting the data you control. Next is least access: limit access to information to only those people and systems that need the access. For example, a restaurant point of sale needs to be able to post to a folio on a PMS but it does not need to see the guest folio to do so. Another is separation: separate meaningful information from the rest of the data. For example, if you separate credit card numbers from the rest of the information about a customer using a tokenization service, the rest of that information is much less valuable. Finally, implement meaningful monitoring. It is not enough for an alarm to go off. Someone must acknowledge and address the alarm and deal with the implications; and someone else must confirm that this has all happened.”
HNN: Are there any recent, headline-grabbing data security issues (like ransomware) that are either truly impactful or perhaps overblown?
Bell: “Even if you are well prepared for a ransom-ware attack, recovery takes time and impacts your business. The primary problem is that many of the businesses that are successfully attacked are not properly prepared. They do not have recent or adequate backups, they have not tested their recovery processes and they are not prepared for the amount of time recovery takes. Making matters worse, they have not segregated their systems, so a successful attack on one system spreads through the entire organization.
“My other observation is there are many on-going attacks on the technology underlying the HTTPS protocol. HTTPS is what allows secure web-transactions for ecommerce. The underlying SSL protocol is no longer safe, and older versions of the alternative TLS are no longer safe either. Yet many companies continue to support these deprecated technologies, afraid of the small amount of business they might lose to older browsers or unwilling to update their infrastructure to keep their systems secure.”
HNN: What is something you hope happens in 2018?
Bell: “I hope that owners recognize the value in keeping their software and systems updated, current and secure, and they understand that it is as important to guests as clean rooms and new carpet even though it is less visible until it fails.”
HNN: What is something you’re worried might happen in 2018?
Bell: “I have observed speculation that several attacks on publically traded companies have occurred specifically to manipulate the value of their stock. I would not be surprised to see this happen to one or more companies in the hotel industry.”
HNN: Do you expect to see the same pace of data breaches in the hotel industry in 2018? Why or why not?
Bell: “Yes, I expect the same pace of breaches because the fundamentals haven’t changed.”
HNN: Are there any simple steps hoteliers can take to mitigate the possibility of breaches?
Bell: “Security is often both simple and complex. I grew up in a rural community, where many people didn’t lock their doors. I live in an urban area now, and I never exit the front door without locking it. That is enough to stop most potential crime against my home and the possessions it contains. Still someone years ago bashed down my front door when no one was home and robbed me. I don’t keep a lot of valuables in the house, and I was adequately insured, so the overall harm was minimal.
“The point I am trying to make is: don’t store your valuables where they are easily accessed, and make sure you have backups as insurance. If you have data you are trying to protect, don’t make it easily accessible directly from the web. Put layers in front of the data. Consider limiting user access, to one record at a time. Verify users, force longer passwords, use multi-factor authorization when appropriate. In other words, lock the front door.”
HNN: Do you think tech security is something the industry takes seriously enough?
Bell: “I have seen this scenario too many times: ‘The owner wants to spend the money on a new chandelier for the lobby instead of upgrading the computer equipment. Can you tell us how to make it compliant for another three years?’ I have learned the problem is the decision-makers are often not aware of the risks, that is the potential losses and the chances of a loss occurring. This often leads to decisions being made that are not appropriate to the actual situation.
HNN: Should hoteliers be concerned about the new Spectre and Meltdown vulnerabilities found in computer processors that have recently been disclosed? Do you expect these to be impactful for the hotel industry?
Bell: “Hoteliers should be aware of the issues and how they can impact their platforms. It appears that the manufacturers and software vendors are working quickly and diligently to address the issues and minimize the threats. In the end, you may get a little less performance for the price, but the threat will be mitigated.”