The Importance of Information Security in Hospitality

March 2003

Many businesses believe that the risk of being targeted by hackers is slim and that sensitive business information is reasonably safe and secure. Under this mistaken assumption, Information Security is often seen as a low priority, especially in the hospitality industry today, where budgets are tight and IT departments are stretched or outsourced.

The reality is a scary story. A survey for the DTI in 2002 reported that nearly half of UK businesses suffered at least one malicious security breach in 2001, double the previous year and growing exponentially. With this level of incidents, it is a matter of when your organization will be attacked, not if.

Threats come in many different forms: external hackers looking to set up illegal servers, steal information or simply be destructive; employees looking for sensitive information or trying to embezzle funds undetected; viruses or worms (such as the recent "slammer" worm) that slow or compromise systems; trojans placed on computers to record keystrokes, intercept emails or even allow full remote control...and the list goes on.

Even if you should escape the worst scenarios, chances are that your business will be adversely affected by low level attacks that compromise the smooth running of your systems.

To make matters worse, the number of possible entry points keeps growing as we integrate our systems to improve efficiency and become part of the interconnected community. Modems, leased lines, ISDN, broadband and wireless all provide a way-in, not to mention direct access via any machine attached to your distributed network.

"But," you might say, "we have a firewall and anti-virus software. We're protected aren't we ?". The answer is quite simply "No". It's a bit like fitting a cheap steering wheel lock to an expensive car - it will give you a feeling of security and deter the opportunist, but is no obstacle to the determined attacker. A recent survey reported that the biggest challenge to IT security was the speed of change and increasing sophistication of threats. A firewall not only needs to be continually managed, but must also be considered as part of an overall information security strategy. Similarly anti-virus software is always one step behind the latest threat and neither it nor a firewall will protect you from all methods of attack.

OK, so the threat is real and you probably aren't protected as well as you thought. What are the potential consequences to your business should a security breach occur ?

Lets start by looking at the information assets that a typical Hotel possesses:

- All the financial information stored in your accounts system
- Customer information including bookings, names, addresses and credit card details stored in your Front Of House systems
- Stock and transaction information stored in your Food & Beverage systems
- Key card data
- A multitude of sensitive emails, spreadsheets and other documents

Imagine the disruption to your business should any of this information be destroyed or altered maliciously - especially if this is not picked up until some time later. Low occupancy rates, over booking, under/over ordering of supplies, under/over staffing provision, under/over billing, incorrect management reporting, etc etc. Now factor in the damage to your organisation's reputation should your customers become victims of fraud via information provided to you, or worse still, thieves gain access to rooms via your key card system.

So, what can you do? As with everything, there are a range of options available that increase in complexity and price:

- Firstly, you need to move Information Security up the agenda - introducing a security policy that all staff are aware of and fully understand.

- Next, a penetration test can determine any external vulnerabilities to your organization, and identify what needs to be done about them. These are readily available from network security companies.

- A network audit on your systems can identify any internal vulnerabilities and weak security practices. These may include password policies, firewall configurations, anti-virus measures, and uncover networks with insecure connections.

- A risk assessment will identify business critical information assets, and how vulnerable they are to various threats. A plan to mitigate the unacceptable risks can then be formulated and often highlights areas for cost saving, such as replacing costly leased line or ISDN connections with virtual private networks running over broadband connections..

- Your security assets, which may include firewalls, virtual private networks and intrusion detection systems, can be managed and monitored 24/7 by a security consultancy, which is both cost effective and frees your IT resources to concentrate on customer issues. It is increasingly difficult for generalist IT resources to keep abreast of all the security issues and monitor for threats full time.

Security should be seen an asset not an expense. It does not just help prevent loss of earnings or reputation, but can also help reduce immediate costs.

The external and internal threats are real and increasing both in frequency and sophistication. On-going information security management is imperative in order to protect your organisation's continued success.

Bil Bragg
Senior Consultant
Dionach

 

 

With Dionach you get:

• An efficient, friendly and flexible service
• To talk directly to the experts
• Straightforward assessment reports that get to the point
• Complete confidentiality and utmost discretion