Going on a vacation? How safe do you think your information is at the resort you just booked? I was reading a recent data breach report that said hotel and restaurant Point of Sales (POS) systems are the number one target of criminal data breaches. The risk facing the hospitality industry with respect to personal information is not only due to the volume of information. It’s also due to the attractiveness of that information to cybercriminals.
From POS systems – from ATM and Interact machines to guest paperwork — you’re providing plenty of sensitive information to hotels, restaurants and bars.
Let’s start by looking at the information assets that a typical hotel possesses:
- Customer information, including bookings, names, addresses and credit card details stored in Front of House (FOS) systems
- Stock and transaction information stored in food & beverage systems
- Key card data
- A multitude of sensitive emails, spreadsheets and other documents
Anyone who travels is familiar with rewards cards and points, as well as the front-desk phrase: “Should we charge your bill to the credit card we have on file?” But is that information being protected as well as it should be? Even though information security is not the primary service provided by hotels, it is expected that the information collected from travelers will be properly handled and secured.
Information security exposure points well known in the hospitality industry. In these trying economic times, risk associated with these exposure points is increasing. That’s why it’s time to end the “it won’t happen to us” syndrome and move information security up the priority list. Below are some steps that can help mitigate risks posed by common points of exposure in the hospitality industry:1. Focus on Information Security: As the economy has fundamentally undergone a meltdown, it is important to focus on securing information and assets as an organization while maintaining a secure infrastructure that enables business operations. Introduce a security policy that all staff are aware of and fully understand.
- Adopt a Risk-Based Security Program: Incorporate a risk-based approach to security, especially during times when you have to make spending decisions on security. It is always better to take a proactive approach to security than a reactive one and only through a strong risk management program can these decisions be made effectively.
- Focus on Security Awareness: Take steps to propagate your organization’s security strategy beyond your IT department. No better investment can be made to protect against insider threats and targeted attacks against employees, which rise during times of economic downturns. Ensure that the policies and procedures related to your information security program are being followed and working.
- Think About Intellectual Property (IP) Protection: The purpose of IP is to protect investment in the branding, design, technology and creative works that give one supplier an edge over its competitors. Your IP is your business; protect it as such.
- Think of Security as a Business Enabler: Process re-engineering and optimization projects can find efficiencies in information systems processes that can be turned into cost savings. Consider outsourcing non-core competencies to a managed security services provider, and focus internal resources on tactical and strategic activities rather than managing technology.
- Conduct Compliance Assessments Regularly: Perform health checks on your security posture and ensure that you remain compliant with regulations regardless of the economic climate. The ultimate goal of compliance is to be secure – and not just on paper. For every compliance dollar spent, a corresponding measure of risk should be reduced. Otherwise, your compliance dollars are not being effectively spent, and may even be wasted. Risk reduction should drive compliance, not the other way around.