Over the past year, I have read about multiple security breaches encountered by celebrities and business travelers at hotels and resorts around the globe. I have seen the research and assessments that try to gauge the hospitality industry's security posture. Most of the reports tend to label the industry as one of the worst with regard to information security. However, it's time to place accountability where it needs to be: with each of us.
To better understand the security issues in the hospitality industry, we need to examine two distinct parts: the hotel network that processes payments, stores personal information about guests and conducts routine services as a part of everyday business, and the Internet connectivity offered as an amenity to guests.
Hotel networks typically are made up of many different proprietary systems in order to offer services and track expenses for each guest. These systems also provide service continuity throughout different departments or areas of the hotel or resort. The goal is to provide an easy, natural flow of identification and responsiveness to the guest needs as they use different areas within the establishment. The greater the speed in identification and awareness of personal preferences associated with the guest, the more personal the experience will be; we can all remember the places we have stayed where we felt recognized. These are the systems that hotels or resorts are responsible for securing.
The Internet services hotels offer their guests as an amenity is similar to their offer of an indoor heated swimming pool: It is available to guests and there are certain rules that should be followed to enjoy it safely. But just as the hotel or resort should not be held accountable if someone decides to do a triple gainer in the shallow end, they shouldn't be held responsible if a guest logs onto his company's webmail without SSL on the hotel's Internet service. It is our responsibility as guests to protect our assets and our data while using it. Hotels and resorts are not in the business of being technology people, lifeguards or the police. They provide amenities and it's up to us to use them with common sense.
If we bring a laptop with us to a hotel or resort, we are responsible for making sure it is secure before it is on the network. If we use the business office computer at their location, we need to make sure that we clean up after we are done. This can involve not forgetting disks and flash drives, and cleaning out the private data in the browser. If we connect wirelessly, we need to make sure that our sensitive communications are using strong encryption. The hotel provides the service just like your home Internet service provider; normally, the security provided with the service is set to a bare minimum and always requires you to add security controls to protect your data. It's up to each of us to have updated patches, antivirus, a firewall, intrusion prevention, secure communication and to turn off services that would provide access to files and service on our equipment.
There is no excuse or reason to rely on a service provider to protect us. To do so can cause a great deal of problems later and could impact your work or home upon returning.
Now if a hotel business network utilizes the same network that guests use, there is cause for concern. Not only would that violate general best practices in information security, but it would also violate PCI regulations and potentially impact Sarbanes-Oxley compliance in public companies. In many businesses across the hospitality industry, guest Internet services are available on the guest network only, which is completely isolated from the hotel business system. Unfortunately, today there is no way to ensure this separation exists. This is a great opportunity for the industry to offer assurance by adopting an industry label, disclaimer or certification that the systems are isolated.
In short, if the hotel guest network--or the swimming pool for that matter--is wide open with no protective services and is something you need to use, make sure that you have done everything in your power to protect yourself. Please do not leave common sense at home.
Rick Lawhorn, CISSP, CISA, CHP, CHSS, has more than 19 years of experience in information technology, including extensive security, compliance, and privacy work. He served as the CISO for two Fortune 100 companies and in IT leadership and security roles within multiple law firms and the National White Collar Crime Center. Send comments on this column to [email protected].