Share | |
Mr. Goldmann

Security & Safety

How to Manage the Growing Threat to Confidential Information Security

By Peter Goldmann, President, FraudAware Hospitality

The news headlines are chock full of accounts of massive volumes of confidential corporate information being stolen, including customer credit card data, medical records, Social Security numbers, corporate trade secrets, trademarked and copyrighted intellectual property and more.

The results of these attacks, though hard to accurately measure in dollars and cents, are nonetheless devastating for both the victimized company and the customers, employees and contractors whose personal identifying data is stolen.

In the largest theft of confidential information ever, the apparel retailer, TJX Inc., had its databases attacked by outside hackers to the tune of over 45 million retail transaction records, involving countless numbers of credit and debit card files. The company may be counting its losses for years to come, as...

And then, of course, there is the innocent consumers whose stolen credit card information is used to commit identity fraud and are forced to endure the painstaking and often frustrating process of restoring the integrity of their credit histories.

What Can Be Done?

The TJX incident is just one of untold thousands of similar cyber-attacks hitting companies in all industries, including hospitality. While there is no silver bullet to unfailingly safeguard data sought by hackers-both outside and within the organization-there are some essential steps all companies should take to at least minimize their vulnerability to information theft.

For example, as Kevin Beaver, an information security consultant with Principle Logic LLC points out, it is essential that IT management continually assess information security risks so they know exactly what to protect,

Because high-tech crime is a fast-moving target, changing continuously as malicious hackers and fraudsters innovate new ways to penetrate security defenses, Beaver urges companies to reinforce their highest-value targets first. He recommends using the 80/20 rule to allocate security resources-optimizing the security of the organization's most critical information assets, rather than attempting to reduce risk for the entire organization's confidential data, including portions for which the risk of loss is very low.

Next Steps

Gideon Rasmussen a Charlotte, NC-based certified information security professional (CISP) recommends the following security "audit" steps after the organization's confidential data has been prioritized...

Step 1: Take a detailed "inventory" of who inside (and outside) the organization has access to sensitive data and determine whether all of those accesses are absolutely necessary.

If, for example, an employee with limited need for proprietary data has unlimited access to it, your IT department should implement immediate restriction-or outright denial of that individual's access.

As part of this process, companies should rigorously monitor systems and insiders to detect unauthorized activity involving confidential data. Specifics:

Step 2: Ensure that access privileges are systematically rescinded http://www.issa.org/cgi/issaopnpg.php?page=journals/2006_June/J0606011.pdf when employees leave the company, or when their responsibilities change.

Helpful: Obtain a list of current personnel from the human resources department and compare it to active system accounts, such as network accounts, remote access and local accounts on servers.

Stand-alone applications-including voice-mail, company directories, etc.-should be regularly checked as well.

Step 3: Review physical security access logs. Pay particular attention to employee visits to the office after regular business hours and on the weekends. If suspicious activity is detected, cross- reference video surveillance feeds and system audit trials.

Not a One-Shot Excercise

Rasmussen points out that too many organizations conduct these information security "audit steps" only once a year-or even less frequently.

The danger in this, he says, is that with employees constantly leaving and new ones being hired... access requirements shifting due to changing business priorities...and technological and regulatory standards constantly altering the procedural standards for optimizing information security, "one-shot" audits can turn out to be all but a waste of time.

To maximize data security, Rasmussen recommends conducting these steps at least quarterly. Ideally, information security activities should be conducted continuously, with much of the work being done by automated auditing software-in the same way that compliance experts recommend for financial auditing.

For practical guidance on continuous auditing, download a copy of the Institute of Internal Auditors' GTAG Continuous Auditing Guide at www.theiia.org

Focus on the Insider Threat

While the TJX breach has become the poster child for external attacks on confidential corporate data, information security experts agree that the threat of data theft by an organization's own personnel is at least equally serious.

Steven Branigan, a former police officer who now heads CyanLine LLC, a leading provider of computer forensics and network security services, aptly points out that "employees, ex-employees or contractors who were terminated, or didn't get the raise or promotion or contract they deserved often feel justified in exacting revenge on the 'unjust' organization. These hackers sometimes steal company trade secrets...confidential customer information, such as credit card numbers...or copyrighted material such as software, published content or other intellectual property."

Further insight into spotting potential insider info-thieves comes from Dr. Eric Cole, Chief Scientist for Lockheed Martin Information Technology. His research has found that most of these criminals share certain distinct behavioral and personality traits:

Reality: Most info-attackers are not high-tech whizzes. But--they don't have to be. Many companies simply aren't geared up to detect or prevent insider information crimes, so low-tech employees who understand the organization's vulnerabilities can all too easily commit costly information crimes without much technical know-how.

For example, says Cole "The easiest ways to steal, destroy or sabotage confidential information are by copying, E-mailing or deleting files from the server. Insider attackers need only a portable USB drive, a hotmail E-mail account or the E-mail address of a competitor to do serious criminal damage."

More likely: An internal information criminal is far more likely to be an employee with many years of service at the organization...who has worked in various jobs on his or her way up the hierarchy...and is viewed as a trusted, loyal team player.

The problem, says Cole, is that "Too often, these individuals become disgruntled or jaded at some point along the way. While they're not hardened criminals, or even bad people, they come to believe that they are "owed" something by the organization and when the opportunity to steal or destroy valuable information in order to "get back" at the organization comes along, they grab it."

Cole cautions, however, that if insider information crime is suspected, it is important not to let employees' job descriptions or appearance prejudice an investigation. "Analyze the facts of the case, " urges Cole, "and never discount the possibility that the guilty party may be someone you least expect to break the law."

If necessary, he suggests, bring in outside investigators to assist with the probe. You want to avoid accusing the wrong individual of an information crime-not only because it can have legal repercussions and undermine employee morale- but also because doing so means that the real perpetrator is still at large. Once it is known that you're investigating the attack, he or she will either stop or become even stealthier, thereby reducing the company's chances of ever catching the real perpetrator.

To bolster the company's information security policy, incorporate detailed information about the financial and non-financial seriousness of crimes related to proprietary information. Company E-mails, formal training or other communications are among the many ways to raise awareness of the potential consequences of information crimes.

To catch these violators, the company must have in place confidential, anonymous hotlines and clear policies prohibiting retaliation against whistleblowers. These factors, says Cole, are all part of a corporate culture in which people share responsibility for safeguarding the company's information assets.

Such a culture not only consistently and emphatically communicates the company's policies governing confidential information security, but also calls for thorough training of all employees in the practices and procedures for maximum information security and encourages employees at all levels to ask questions, seek guidance and report security deficiencies wherever they find them.

Peter Goldmann is the Developer of FraudAware/Hospitality, the first on-line fraud awareness training course for hospitality managers, supervisors and line employees. He is is the publisher of the monthly newsletters, White-Collar Crime Fighter and Cyber-Crime Fighter. His company, White-Collar Crime 101 LLC also is the developer of FraudAware/Hospitality, a customizable Web-based fraud awareness training course for managers, supervisors and line employees. He is a member of the Association of Certified Fraud Examiners, and The International Association of Financial Crimes Investigators. Mr. Goldmann can be contacted at 203-431-7657 or pgoldmann@wccfighter.com Extended Bio...

HotelExecutive.com retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.com.

Receive our daily newsletter with the latest breaking news and hotel management best practices.
Hotel Business Review on Facebook
RESOURCE CENTER - SEARCH ARCHIVES
General Search:

MAY: The Hotel Spa
High Value Marketing

Jason Guest

Wireless Internet is changing the way business gets done in the hotel industry. There's a tremendous demand for wireless access - for overnight guests and even for conferences and trade shows. It's not just for email and Web surfing anymore. Video streaming, audio streaming and voice-over-IP are all competing for the same Internet pipe. This is compounded by the growing trend for trade shows and conferences to offer high-speed wireless data service to their attendees, which can slow Internet traffic to a crawl. This demand means opportunities for new revenue streams. Wireless has also created new ways for hotels to connect with their guests to generate loyalty. READ MORE

Derek Wood

In today’s ever increasing ‘digital age’ the importance of providing a quality High Speed Internet Access system for your guests is more important than ever. The recent huge increase in mobile wi-fi devices has just added a new dimension to the problem. And yet to many hotels this service is seen as cumbersome, expensive non-revenue generating and does not rank highly at senior management level when increasing guest satisfaction is being discussed. This article examines some of the issues facing the hotelier today and suggests a few ways to overcome the problems. READ MORE

Roger Crellin

Much to the chagrin of property owners, free WiFi has become a guest expectation rather than a perk. Since the free WiFi model was introduced, hotel operators have faced the rapid adoption of bandwidth-hungry mobile devices such as tablets and smartphones. Not only do guests expect free WiFi, but they also expect ease of use and constant connectivity, similar to what they experience at home. What was once a means to improve satisfaction and engender loyalty, free WiFi that underperforms can actually have the opposite effect, causing dissatisfaction and frustration with a property that doesn’t provide a positive experience. READ MORE

Terence Ronson

As mentioned in a previous article, prior to the birth of IOS (Apple’s operating system), truthfully, we only scratched the surface and played around with implementing Wi-Fi in Hotels. But now, four years later with millions and millions of IOS devices in the hands of millions and millions of our loving guests, this has become the most disruptive of technologies in the modern era. That along with the creation of the smartphone and its Big Brother - the TAB – where there are sales predictions of 153 million units next year, and climbing to 232 million by 2016. This has set loose a tsunami of unparalleled demand - for a strangely invisible service! No wonder CIO’s call Wi-Fi a four-letter word. For the sake of repeating myself, today’s Hotel Wi-Fi network (and more critically tomorrow’s) is one of the principal areas in which your hotel will be judged. READ MORE

Coming Up In The June Online Hotel Business Review

"Hotel Business Review offers weekly articles for hotel management and operation and discussion on emerging growth markets."
Feature Focus
Hotel Sustainable Development: Principles and Best Practices
Sustainability is now a daily topic that affects every facet of hotel development and operations. As hotelier Hervé Houdré recently noted "The goal of Sustainable Development is clearly to secure economic development, social equity, and environmental protection. As much as they could work in harmony, these goals sometimes work against each other". In the June Hotel Business Review, some of the industry's most recognized sustainable development experts come together to identify emerging trends and discuss how sustainability is currently affecting the hotel industry. Each author presents the most important aspects of sustainable development of much interest to hotel owners, operators, investors and developers. We include perspectives and case studies on best practices from leading hotel groups and other industry players.
INSIGHTS FOR INDUSTRY LEADERS BY INDUSTRY LEADERS
"300,000 Rooms Complete, 15,700,000 to Go"
By Larry Mogelonsky, President and Founder, LMA Communications
"Destination Earth: A Customized Approach to Sustainability"
By Mark Hickey, Senior Vice President of U.S. Hotel Operations, Destination Hotels
"Why This New Standard is Going to change Hotel Energy Management Forever?"
By Robert Allender, Managing Director, Energy Resources Management
"How Two Major Hotel Companies are Turning Sustainability into Tangible Business Advantage"
By Christopher Wood, Director of Social Responsibility, ASAE Convene Green Alliance
PLUS: Green Certification - Development & Investment Outlook - Case Studies - Green Design – Sustainable Development Strategies - Green Luxury - CSR Programs - Green Facility Management