Share | |
Mr. Goldmann

Security & Safety

The Internet - Mistakes Companies Make In Computer/Internet Crime Prevention

By Peter Goldmann, President, FraudAware Hospitality

The report also shows that last year, brand Web sites were the source of 66% of the brands' centrally booked Internet reservations.

The resounding message, of course, is that Internet-based business is rapidly becoming the preferred method for booking reservations.

Importantly, this trend is only the latest in a series of transitions of hotel business operations to electronic protocols. Food and beverage transactions...automated check out and electronic room keys have been standard operating procedure for years.

The Security Challenge

Why is this important? Along with the wonderful employee productivity and financial payoffs of electronic operations has come an enormous new challenge for management: Cyber-crime.

Despite the whiz-bang capabilities of high-tech customer data storage, transaction archives, and networked computing, the opportunities for cyber-criminals to steal confidential data...manipulate financial numbers...and embezzle money are more plentiful than any hotel executive would really want to know.

Just reading the business news paints a sinister picture of corporate information security...

Know Your Risks

Think of these headlines, along with tens of thousands like them as the cyber-security equivalent of the August, 2001 memo to President Bush about the terrorist threat.

They are warning signs-urgent calls to action which, if ignored, can (and usually will) end in disaster. For most hotel/hospitality companies, the biggest risks include...

  • Loss of confidential guest records, including guest credit card numbers...driver's license numbers...addresses and other key information that can result in identity theft and fraud. One of the most damaging and costly crimes related to theft of customer data is what has come to be known as "cyber-extortion". A skilled outside hacker breaks into a hotel's computer system and purloins a few thousands (or more) guest records. Threatening to display stolen credit card numbers on the Internet, the criminal demands a hefty ransom in exchange for his promise to destroy the stolen files.

  • Loss of confidential employee information, such as health records, bank account information, background checks and other sensitive information that could result in identity fraud or, worse, blackmail or extortion.

  • Cyber-fraud. Skilled cyber-criminals-especially dishonest insiders with authorized computer access-can break into a hotel network and transfer funds to their own accounts... alter critical documents...even increase their salaries by manipulating computer payroll files.

  • Blocked access to computer networks and/or databases. This can result from a variety of malicious acts, such as sabotage by a disgruntled ex-employee, malicious hacker activity or just teenagers having "fun" at a home computer. These so-called Denial-of-Service (DoS) attacks can result in loss of business...lost employee productivity and costly clean-up operations

  • Legal liability. When confidential guest data is lost and a guest becomes a victim of identity fraud, your company may find itself on the receiving end of a liability lawsuit. Courts have ruled that companies that neglect to take "reasonable" measures to protect customer information face potentially stiff financial penalties. Unfortunately for hotel company attorneys and security directors, the term "reasonable" is usually interpreted by the legal system in an unfavorable way.

  • Tarnished reputation. No hotel company wants a newspaper, magazine or Internet news service to run a headline like Hackers Steal 50,000 guest credit card numbers from Your Hotel Company, Inc.

Avoiding Deadly Cyber-Security Mistakes

Instead of taking the usual route of explaining what to do to prevent the multitude of cyber-threats facing your company, let's see what we can learn from reviewing a list of what not to do about optimizing your company's computer security.

A fairly brilliant information security consultant named Kevin Beaver of Principle Logic, LLC came up with such a list. His "anti-advice" is a computer and Internet security survival guide for all but the smallest hospitality companies...

  • Pay no attention to, let alone bother, to understand which information you're trying to protect.

  • Leave your databases-especially those containing guest credit card or other confidential information-unencrypted. And be sure to store them on publicly accessible servers.

  • Neglect to "patch" your software or update your virus signatures... and never run system vulnerability assessments to detect newly discovered software and network flaws. After all, doing all that stuff is very costly and time-consuming.

  • When an employee quits or is let go, leave his or her network log-ins and E-mail accounts enabled. (You never know when he might want to check in to see what's happening on your system.)

  • Don't bother developing, much less implementing, security policies that spell out how every computer user in your organization must act to protect guests from information disasters...and your company from financial, operational and legal crises.

  • If you do have a security policy, development of which involved a fair amount of time and money, don't worry if people in the organization neglect to refer to it, enforce it, update it, or do what it says.

  • Completely outsource your information security initiatives. There's no need for busy IT people inside your company to worry about such matters.

  • Apply the principle of greatest privilege. Give all employees and vendors the greatest amount of access to your information systems.

  • Rely solely on technology to secure your systems and data. Firewalls, encryption and antivirus software are really all you need. How people use your systems shouldn't matter if you've got what you believe to be state-of-the-art security technology.

  • Run your business without disaster recovery and business continuity plans. The chances of something really bad happening are pretty slim.

  • Don't bother monitoring your systems. They'll be fine running by themselves, and if there is an incident that compromises the integrity or availability of your information, you'll be notified automatically anyway.

  • Don't back up your data, but if you must, don't bother testing your backups. Also, leave your backup media on-site-preferably sitting on top of an uninterruptible power supply.

  • Leave your operating systems and software applications with the default settings. System "hardening"-eliminating built-in features and capabilities that, while useful to IT people also create opportunities for hackers-doesn't sound very important.

  • Respond to hacker attacks, viruses and other intrusions as they happen. There's no need to preemptively gird your system to prevent attacks.

  • Avoid subscribing to security bulletins and mailing lists...or reading information security trade publications.

  • Leave your servers and network equipment in a room to which everyone, including outsiders off the street, has access.

  • Put off training employees to understand and comply with your security policies and to know which red flags of cyber-crime to look out for...such as unsolicited E-mail attachments, common hacker activities and unusual computer system functioning.

  • Always use passwords that consist of your pet's name, your name, your mom's maiden name, or your birthday. That way, you won't forget them.

  • Don't, under any circumstances, get top management involved in information security matters. They're business-focused and shouldn't be bothered or even care about technology or the liabilities associated with threats to information security.

All Kidding Aside

While Kevin's hard-hitting warning list may sound humorous, each item on it is dead serious.

The lesson: To minimize the chances that your guests, employees, vendors and shareholders will "take a hit" due to some overlooked computer vulnerability, you must assess your company's current status with regard to each and every one of these security issues...and develop effective review procedures to ensure that you don't end up making any of the mistakes on Kevin's list.

This requires financing and deployment of all resources necessary-including if necessary, a full-time information security officer...outside consultants...and vital technology software defenses.

The All-Important Computer Security Policy

Any qualified computer security expert (including Kevin), would tell you that if your lacks a clear and enforceable computer/Internet security policy it is at serious risk of being stung by hackers or internal cyber-criminals.

But how do you even begin to outline such a policy? The good news is that it's not that hard. A few pointers...

  • Assemble a policy team. Because cyber-risks are so varied, your legal experts can't draft a workable computer security policy alone. A team consisting of IT, HR, legal, frontline, and senior management members is essential to uncover all areas of potential digital misconduct.

    It is usually best to start with a general, "umbrella" policy that sets out clearly-defined rules for acceptable use of all electronic communications functions. Then, train employees, monitor adherence to the policy, and give employees a few months to get used to the new, clearly-defined rules. As the policy is used and enforced, changes you'll need to make-as well as additional policies you'll need to write-will become apparent.

  • Conduct a basic "Who, What, Where, When, How, and Why" audit of your company's information systems and monitoring program (if you have one). The purpose of this exercise is to determine how and to whom suspected violations should be reported and what the consequences of violating the policy are. Nothing long or involved, just a one-to-two page document covering your general information systems security policy, telling employees how they're expected to use-and avoid abusing-the company's technology tools, how to protect their computers from outside attacks, and what will happen if they don't comply.

Policy Nuts & Bolts

The first rule of creating an effective computer security policy is to be clear while avoiding a tone of "control and command." Avoid damaging morale by treating workers as adults who want to understand-and do-"the right thing".

Instead of adopting a policy of "Absolutely no personal use of Internet or E-mail," allow acceptable non-business use of systems, giving a partial list of what's acceptable, what's not and, if appropriate, why.

Examples of acceptable activities, on-line banking at lunch time, E-mailing your spouse, checking your child's school Web site for early dismissal notice, checking national news.

Using the organization's E-mail address for general correspondence (E-mail is like virtual letterhead)...Visiting pornographic Web sites and downloading pornography. (Mixing pornography with business creates a hostile work environment, exposing the company to civil rights lawsuits. Also-It is illegal to possess child pornography on an individual employee's computer hard drive or on the organization's servers)

Once you've fine-tuned your policy, tell employees how it will be enforced. Will you do it through corporate monitoring of E-mail traffic? Tracking Internet activity? Phone records?

While the law is on your side if you want to tell employees that they should expect no right of privacy while using the company's computers, telephones, PDAs, faxes and cell phones, security and management experts are divided on the effectiveness of this approach. Some say it's a strong deterrent while others argue that it's "Big Brother-ish." Let your corporate culture dictate which option works best.

A variation on this theme is to inform employees that you, as the employer, have and will execute your right to monitor employee use of corporate E-mail, Internet, telephones, etc. Explain that your goal isn't to "snoop" and frivolously invade their privacy. Instead, it's to protect them, the workplace and the company.

No Train, No Gain

Train employees in the basic information security do's and don'ts-such as never open E-mail attachments you're not expecting, beware of games that pop-up on your computer screen, etc.). Then train them in the specifics of your new computer/Internet usage policy. Next, quiz them on what they've learned. You can even reward them for serving as cyber-sleuths.

The important thing to remember is that technology doesn't have to be scary. While only dedicated high-tech whizzes can know and apply the intricacies of high-tech security in the corporate world, managers need only know the essentials of what makes for a sound information security infrastructure. Ask the right questions, consult the right experts, make informed technology purchasing decisions and , most importantly, stay involved.

Peter Goldmann is the Developer of FraudAware/Hospitality, the first on-line fraud awareness training course for hospitality managers, supervisors and line employees. He is is the publisher of the monthly newsletters, White-Collar Crime Fighter and Cyber-Crime Fighter. His company, White-Collar Crime 101 LLC also is the developer of FraudAware/Hospitality, a customizable Web-based fraud awareness training course for managers, supervisors and line employees. He is a member of the Association of Certified Fraud Examiners, and The International Association of Financial Crimes Investigators. Mr. Goldmann can be contacted at 203-431-7657 or pgoldmann@wccfighter.com Extended Bio...

HotelExecutive.com retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.com.

Receive our daily newsletter with the latest breaking news and hotel management best practices.
Hotel Business Review on Facebook
RESOURCE CENTER - SEARCH ARCHIVES
General Search:

MAY: The Hotel Spa
High Value Marketing

Jason Guest

Wireless Internet is changing the way business gets done in the hotel industry. There's a tremendous demand for wireless access - for overnight guests and even for conferences and trade shows. It's not just for email and Web surfing anymore. Video streaming, audio streaming and voice-over-IP are all competing for the same Internet pipe. This is compounded by the growing trend for trade shows and conferences to offer high-speed wireless data service to their attendees, which can slow Internet traffic to a crawl. This demand means opportunities for new revenue streams. Wireless has also created new ways for hotels to connect with their guests to generate loyalty. READ MORE

Derek Wood

In today’s ever increasing ‘digital age’ the importance of providing a quality High Speed Internet Access system for your guests is more important than ever. The recent huge increase in mobile wi-fi devices has just added a new dimension to the problem. And yet to many hotels this service is seen as cumbersome, expensive non-revenue generating and does not rank highly at senior management level when increasing guest satisfaction is being discussed. This article examines some of the issues facing the hotelier today and suggests a few ways to overcome the problems. READ MORE

Roger Crellin

Much to the chagrin of property owners, free WiFi has become a guest expectation rather than a perk. Since the free WiFi model was introduced, hotel operators have faced the rapid adoption of bandwidth-hungry mobile devices such as tablets and smartphones. Not only do guests expect free WiFi, but they also expect ease of use and constant connectivity, similar to what they experience at home. What was once a means to improve satisfaction and engender loyalty, free WiFi that underperforms can actually have the opposite effect, causing dissatisfaction and frustration with a property that doesn’t provide a positive experience. READ MORE

Terence Ronson

As mentioned in a previous article, prior to the birth of IOS (Apple’s operating system), truthfully, we only scratched the surface and played around with implementing Wi-Fi in Hotels. But now, four years later with millions and millions of IOS devices in the hands of millions and millions of our loving guests, this has become the most disruptive of technologies in the modern era. That along with the creation of the smartphone and its Big Brother - the TAB – where there are sales predictions of 153 million units next year, and climbing to 232 million by 2016. This has set loose a tsunami of unparalleled demand - for a strangely invisible service! No wonder CIO’s call Wi-Fi a four-letter word. For the sake of repeating myself, today’s Hotel Wi-Fi network (and more critically tomorrow’s) is one of the principal areas in which your hotel will be judged. READ MORE

Coming Up In The June Online Hotel Business Review

"Hotel Business Review offers weekly articles for hotel management and operation and discussion on emerging growth markets."
Feature Focus
Hotel Sustainable Development: Principles and Best Practices
Sustainability is now a daily topic that affects every facet of hotel development and operations. As hotelier Hervé Houdré recently noted "The goal of Sustainable Development is clearly to secure economic development, social equity, and environmental protection. As much as they could work in harmony, these goals sometimes work against each other". In the June Hotel Business Review, some of the industry's most recognized sustainable development experts come together to identify emerging trends and discuss how sustainability is currently affecting the hotel industry. Each author presents the most important aspects of sustainable development of much interest to hotel owners, operators, investors and developers. We include perspectives and case studies on best practices from leading hotel groups and other industry players.
INSIGHTS FOR INDUSTRY LEADERS BY INDUSTRY LEADERS
"300,000 Rooms Complete, 15,700,000 to Go"
By Larry Mogelonsky, President and Founder, LMA Communications
"Destination Earth: A Customized Approach to Sustainability"
By Mark Hickey, Senior Vice President of U.S. Hotel Operations, Destination Hotels
"Why This New Standard is Going to change Hotel Energy Management Forever?"
By Robert Allender, Managing Director, Energy Resources Management
"How Two Major Hotel Companies are Turning Sustainability into Tangible Business Advantage"
By Christopher Wood, Director of Social Responsibility, ASAE Convene Green Alliance
PLUS: Green Certification - Development & Investment Outlook - Case Studies - Green Design – Sustainable Development Strategies - Green Luxury - CSR Programs - Green Facility Management