The hospitality sector has long been a top target for computer hackers. Hotels and restaurant chains are targets because they store large amounts of sensitive customer details, including personal credit card data and loyalty programme information.
Experts say that most of the security breaches in the hotel industry are the result of a failure to equip, or to properly store or transmit this kind of data, and that starts with the point-of-sale credit card swiping systems and onto the back office systems.
Any security breaches in the hospitality industry not only impacts financially but can equally damage brand reputation.
According to one security expert who has monitored the situation, “the food and beverage, retail and hospitality industries accounted for about 85% of data breach investigations. In these industries, the primary target was payment card data.
While such businesses typically represented a smaller reward for attackers in comparison to large banks or payment processors, they continue to be a target due to well-known payment system vulnerabilities and poor security practices on behalf of those responsible for the upkeep of these systems. Organised crime groups in particular continued to focus on these industries.”
Trustwave found that “more than one-third of breached entities in food and beverage, retail, and hospitality represented franchised businesses.
Standardisation of computer systems among the franchise models is common and, in the event a security deficiency exists within a specific system, deficiencies will be duplicated among the entire franchise base.”
Over the years cyber criminals have taken full advantage of this vulnerability, targeting specific hospitality businesses and exploiting common points of failure across the sector.
Getting started
An Information Security Assessment service offers all that is needed for peace of mind of a hotel’s management and of its guests. It provides a high level of information security assessment of the organisation’s assets, technology estate and operational processes. Provided by certified auditors, this appraisal is delivered after an on-site information gathering exercise and then followed by detailed analysis, risk assessment and a formal summary of the findings and recommendations.
Hoteliers and restaurant chains need to feel that the security measures they have in place are adequate, while keeping the cost of enforcing IT security under control and commensurate with the benefits. IT security spending has been growing at around 20% per year over the last decade, outstripping total IT spending and general corporate budgets.
This does not mean that IT security spending is too high, or that it is running at a level that is unsustainable, but its growth has to be managed. The total budget should be determined by the benefit that the spending brings to the enterprise. There are many factors that have driven spending up to current levels, with the list being headed by external compliance requirements, like PCI credit card security; the increasing threat level on the internet; and the evolution of corporations as they embrace more automated processes, more flexible working practices and more online services.
Of course, most hospitality businesses only have a limited amount of money and resources available to allocate to IT security. Therefore, the adoption of managed security services is one way for hotels to stay protected from the latest security threats without having to spend ever increasing amounts on protection.
For a regular fixed monthly payment, the business can rest assured that any potential threats are kept in check using managed cloud-based security services. These offer a number of benefits for providing security services such as economies of scale, concentrated pools of expertise, and a wider view of the external threat landscape. Industry analysts advise that hospitality organisations should assess the option of acquiring security services in this way.
About the Author:
Jatin Sahni is vice president of large enterprise and solutions marketing for Du. See the November issue for the second instalment of his comment, which will detail how to implement managed security services.