Hotel Online
News for the Hospitality Executive


What Color Is the Threat Level at Your Hotel?

The Likelihood of a Cyber Security Breach Is as Real As it Gets

By Terence Ronson, April 20, 2010 

What color is the threat level at your hotel?  When an attack is highly likely, the U.S. Department of Homeland Security has various rankings including  'Elevated' - Yellow, while the UK's MI5 could declare a 'Severe' warning on such an occasion. 

With these real and perceived security threats it should come as no surprise that the idea of building a virtual moat around the gazillion bits of data which flow into and out of your business at light speed, is not as stupid and far fetched as it initially may sound.  The likelihood of a cyber security breach is as real as it gets.

In the 1983 hit movie - War Games,  the country, USA, was  placed on  DEFCON 4 (DEFense CONdition 4) when a pair of school kids unknowingly hacked into a National Defense Computer at NORAD mistaking it for a toy company. The innocent error initiated launch sequences for missiles, which could have taken them and the rest of the world to the brink of World War III.

Of course, this is just a movie and usually in this realm of fantasy, there will be a hero who will, in the nick of time, step-in and save civilization as we know it. But does this often happen in real life?

The Real World Threat Level Table

Department of Homeland Security - USA
MI5 - UK
Low = Green  Low - an attack is unlikely
Guarded = Blue  Moderate - an attack is possible, but not likely
Elevated = Yellow Substantial - an attack is a strong possibility
High = Orange  Severe - an attack is highly likely
Severe = Red Critical - an attack is expected imminently
(Current level highlighted as of MAR 22nd 2010)

The Real Threats

Unfortunately, in today's cyberworld, there are blackhats and villains, lurking in the background ready to hack , and steal the 1's and 0's which not only contain the financial data from your transactions, but also the digital DNA of your customers. 

You must have seen TV shows that depict heroines like Jennifer Garner of Alias or Jessica Alba from Dark Angel in tightly clad rubber suits absailing down ropes from ceiling skylights, then clandestinely inserting a memory device into a suspected felons computer to rip off a copy of desktop files.  All these are done under extreme time-pressure so as not to get caught by a roaming security guard. This type of technology would have made life so much easier for good guy Napoleon Solo  [played by Robert Vaughan] in The Man from U.N.C.L.E. or Maxwell Smart played by Don Adams from Get Smart fame. 

Examine the business from inside out

Internal security issues pose a real clear and present danger to you, your business and your customers. Security breaches may happen outside your real or virtual walls or down the Internet pipe. 

Yes, we are all aware of measures being undertaken to secure technological infrastructures such as physically separating networks, and the use of VPN's and firewalls. But we often forget the small things that matter so much. We go about our busy day overlooking lax security polices such as unguarded passwords or many people sharing the same password because we are too lazy to implement individual logins, or we adopt systems that cannot handle multiple passwords. 

Something we also take for granted is allowing the insertion into a property's network of everyday items:- thumb drives, portable hard disks, smart phones and MP3 players. With the click of a mouse, these almost undetectable plug n play devices,  can suck up a database as fast as the chef can whip up a sabayon. Thanks to technology, it's so much easier today to export a sales database than photocopy a dog-eared Rolodex or drawers and drawers of paper files. Don't worry about the physical size of these devices. A pocketsize 1TB (one terabyte) USB hard drive costing around US$200  [about the size of two packs of cigarettes] can handle more data than an average hotel will collect in its entire lifetime. How environmentally friendly and thoughtful is that? 

But if you want to fixate on external threats, then remote access to your networks need to be guarded by a row of Cyber Centurions. To cut costs and efficiently trouble-shoot, establishments allow vendors to remotely support their systems, you know - the ones that power your business - like PMS, CRM, Sales and Catering, Point of Sale etc. But ask yourselves a question: Do you make these companies sign an NDA covering your data or anything else they or their staff may learn about your business in the course of performing their duties? Did I hear one person say  "YES"?

They used to say that it took only three seconds for a new computer connected to the Internet to be confronted by a possible security threat. Hold that thought while you try and comprehend the fact that the latest range of Cisco Core routers [CRS-3] can transmit twenty-two terabits of data per second. That equates to the entire Library of Congress being transmitted in under four seconds. Blink and that 1TB drive is now chock-full-of-your-data.

Big Brother IS watching!

Google most likely knows more about you than you know about yourself - how sad is that? Amazon has an amazing profile of your buying trends and spending power. ITunes knows the music you like and can quite possibly accurately determine whether you obtained it legally or otherwise.  And as for Skype, they "could be" archiving all your IM's and voice calls for some form of future data analysis. 

This is apart from the eavesdropping some governments could be doing. 

Add to this SNS (Social Networking Sites) such as Facebook and MYSPACE which tell all those interested to know the minutiae of your personal life, such as what type of eggs you had for breakfast, your dog's name, the names and birthdays of your kids, and oh yes, what they look like. Crosslink that information with what's available on Linkedin and Plaxo, and your life has just become one big open eBook. 

Then there is the case of off site data backups. Do you allow copies of data to be kept at someone's house? If so, what security measures have been taken to ensure they are safely stored and not potentially falling into the wrong hands and copied. 

Unrestricted access to cloud based email systems like Gmail, Yahoo and Hotmail allow easy and virtually undetectable transfer of data. So do file transfer programs like YouSendit and Dropbox. 

And  there are those who stealthily attach devices to your network for the sole purpose of stealing data. These include but are not limited to Keystroke loggers - often found in public Internet computers. Then there are rogue wireless access points located on your network which are the equivalent of granting an-all areas un-escorted backstage pass to anyone who hooks onto it.

Let us also not forget printed reports. How many of these are circulated as part of the Night Audit run, and then discarded as waste paper for recycling once the stats have been reviewed. These reports with snapshots of the business are then put back into the photocopier and printed on their backsides. Then, they are both circulated and what was once confidential information is now released to all who care to read it. How does your shredding policy stack up to Enron's?

Innkeepers must act

Once upon a time, The Hotel Proprietors Act 1956 (UK) was displayed at the check-in counter or perhaps seen on the back of the guest room door, where the legal eagles used jargon to basically say that you as a hotelier are not responsible for the guest's valuables unless stored in the hotel safe, and then only up to an inconsequential financial ceiling. 

But what precautions do you have in place to protect the information and identity of your guests who store their private details in your data vaults [computer systems]?  Sure, some of you may be bound by PCI Compliance, Sarbanes Oxley and the Data Protection Act - but what about the small independents' out there - are you just driven by your conscience and professionalism? Where are the lawyers when we need them? What have they done as far as public disclaimers are concerned to protect the business and the guest? Material items can be replaced, identities cannot. 

A professional code of ethics goes only so far...actions speak far louder than words because the consequences of doing nothing would be enormous, or in this case, the stolen bite of our personal bits and bytes would really hurt. 

(c) MMX Y2K10
First appeared in Hotel Management Asia - Tech Newsletter

Terence Ronson

Also See: Is Your Hotel Prepared? Malicious Email Viruses Could Devastate Your Business / Terence Ronson / HOTEL Asia Pacific / March 2004

To search Hotel Online data base of News and Trends Go to Hotel.OnlineSearch
Home | Welcome| Hospitality News | Classifieds| One-on-One |
Viewpoint Forum | Industry Resources | Press Releases
Please contact Hotel.Onlinewith your comments and suggestions.