Improving data security must remain a priority for hotel and restaurant operators alike. Consider the statistics: According to the Trustwave (www.trustwave.com) 2017 Global Security Report, corporate and internal networks were the most frequently breached technology environments last year, accounting for 43% of incidents investigated by the company and representing a 3% increase over 2015. Incidents involving breaches of POS systems in restaurants and hotels (as well as retail establishments) increased to 31% in 2016, up from 22 in% 2015.
Moreover, the report indicates, 20% of data compromise incidents reviewed by Trustwave occurred in the food and beverage sector; only the retail segment saw more of these incidents, at 22%. Thirteen percent of these incidents occurred in the hospitality (lodging) segment, compared to a mere 5% in the financial sector.
Restaurants and hotels are going to have other priorities such as guest engagement, but the importance of network security can’t be ignored, especially with digital initiatives becoming so prevalent while perpetrators become increasingly sophisticated, asserts Ted Harrington, executive partner at security research and consulting firm Independent Security Evaluators (www.securityevaluators.com).
But Harrington and other sources note that network security cannot be approached in a haphazard fashion. Operators must conduct a careful needs assessment and thoughtfully plan out technology configurations.. What’s more, hotel and restaurants owners must pay strict attention to a wide variety of factors, from proper vendor selection and employee training to the creation of policies and procedures intended to promote network security going forward. In this roadmap, HT offers a blueprint for securing the network, in a logical, step-by-step fashion that should minimize roadblocks and set operators on a path to success.
1. Look for high-risk areas and vulnerabilities
Securing the network starts with an exhaustive search for weak points that involves:
- Identifying which network endpoints carry the greatest risk. Legacy systems top the list because their lack of security infrastructure makes them easy to breach. Point of sale systems, too, belong on the roster given that “less visible POS system attacks are common and are an everyday issue in the hospitality industry as a whole” based on the financial gain to be made by perpetrators by accessing cardholder data, says Joe Stuntz, vice president, cybersecurity at One World Identity (www.oneworldidentity.com), an independent technology strategy and research firm.
In assessing vulnerabilities, don’t forget to look closely at Internet of Things (IoT) devices that connect to and are controlled through the Internet. For hotels, these devices are typically intended to enhance the guest experience, bolster operating efficiencies, and cut costs — think “smart” thermostats, lighting, and draperies, electronic door locks, security cameras, and entertainment systems. Some restaurant operators, meanwhile, are choosing IoT platforms to more easily monitor and control such equipment as refrigerators and freezers. A significant portion of the embedded firmware that runs on IoT devices is not secured, opening doors to greater-than-normal risks by leaving properties’ critical data highly vulnerable to cyber attacks.
- Moving beyond penetration testing. Some operations limit their assessment activities to a penetration test, which determines only whether a network can or cannot be breached. However, a vulnerability assessment is a better option, Harrington says. Unlike a penetration test, he explains, a vulnerability assessment reveals not only whether the network (or system) being evaluated can be breached, but also all the ways in which this can happen. It takes into account assets, threats, workflows, whole system configuration, internal defenses, and future development of the network infrastructure (or application).
Harrington adds that “the threats addressed in a penetration test go beyond the random ‘drive-by’ adversary to consider targeted attacks, insider threats, advanced persistent threats, and the accidental — and maybe inevitable — security breach.” Moreover, a penetration test frequently relies heavily on automated tools, leverages known vulnerabilities alone, and identifies only low-hanging vulnerability fruit. While a vulnerability assessment also involves the use of automated tools, it also brings to light all potential vulnerabilities rather than only those that can be found via automation.
- Consider a third-party assessor. Frequently, a third-party assessor can ferret out vulnerabilities and identify areas of risk operators may not catch because they are hidden or obscure. One example: old security protocols like SSL 2.0 and TLS 1.0, which if not addressed might create opportunities for perpetrators to eavesdrop on the network. Some managed service providers, including Beyond Security (www.beyondsecurity.com) include vulnerability assessments in their roster of services.
2. Set a budget and clarify expectations.
Under this umbrella:
- Look at the cost equation. Unsurprisingly, the cost of securing a hotel or restaurant network will vary based on such factors as the size of the operation (number of units) and scope of the upgrade needed, Harrington observes. However, any reluctance to shore up the network based on cost concerns is easily tempered by comparing the price of recovery from a data breach to the price of establishing and maintaining a secure network. The 2017 Cost of a Data Breach study sponsored by IBM Security (https://www.ibm.com/security) and conducted by the Ponemon Institute (www.ponemon.org), pegs the average worldwide cost of data breaches that occurred in 2017 at $3.62 million. The cost of each lost or stolen record was $141. Network security technology bears a lower price tag.
It’s worth considering the price—though unquantifiable—that hotel and restaurant operators may pay when worries about network and related security prevent them from undertaking major digital business initiatives (such as adding online ordering and booking acceptance capabilities).According to recent research by Cisco (www.cisco.com), 71%of executives believe security concerns can place an obstacle in the path of digitization. Of these survey participants, 69% expressed a reluctance to innovate without proper security and 41% of individuals queried said a lack of the proper security can halt mission-critical initiatives.
- Understand the difference between achieving compliance with security standards and achieving network security itself — and why compliance isn’t enough. Security standards, including network security requirements contained in the Payment Card Industry Data Security Standard (PCI DSS), are generally static. Thus, for organizations, being compliant means conforming to policies or standards provided at a given time. However, security requirements, network security requirements among them, evolve with the emergence of new threats. Hoteliers’ and restaurateurs’ must expand their security technology toolboxes beyond compliance to address these requirements and threats.
Additionally, sources note that while many security standards mandate the deployment of specific tools — again, including network security tools — they do not specify how these tools should be configured and how they should interact with other tools or systems in a specific operation’s IT environment. Consequently, compliance can, in many cases, serve as a starting point for network security technology upgrades — but only as a starting point. It should be considered a piece of the network security “pie,” rather than the “pie” itself.
3. Assess partners.
Look for vendors, integrators, and managed service providers that:
- Demonstrate an understanding specific to security pain points. Different operators may have different pain points and concerns when it comes to network security, depending on the technology they have in place, the technology they plan to implement (e.g., more IoT devices), and other factors. Steer clear of vendors and managed service providers that try to “shoehorn” technology and services into a configuration regardless of prospects’ individual needs. Instead, look for vendors that are willing to work with their clients to set up a security program designed specifically for that operator's problem. SageNet (www.sagenet.com), for example, will first try to understand the threats to an organization, compliance requirements an organization faces and the current controls in place to protect sensitive information and systems. SageNet starts these engagements with a program assessment based on industry standards and compliance requirements specifically tailored to that organization.
- Have set, organized procedures for handling updates and issuing patches. These cannot be left to chance.
- Willingly discuss, in detail and prior to formalizing a contract for network security product sales or services, their responsibilities in terms of handling critical areas. Such areas include training, troubleshooting, dealing with anomalies, and potentially helping to quash detected threats before they become full-blown attacks on the network.
4. Design and deploy.
On the design front:
- Identify business goals and determine how network security will support them. Digital is a key component of growth for restaurant and hotel operators alike, according to Cisco. Hence, understanding the business strategy is just as important for the IT team as understanding the IT and network security strategy.
- Consider technology options. Sources agree that an end-to-end approach to network security, from POS terminals, IoT devices, and all other applications all the way through the data center is a must in an age of malware and directed attacks. This means implementing not only firewalls, but also intrusion prevention, advanced traffic filtering, network posturing, and monitoring solutions along with user authentication technology. Some providers, such as AT&T (www.business.att.com) and Cisco, offer suites of integrated network solutions that are designed to work in tandem with each other. Proponents of these solutions claim the integration allows them to promote more airtight security across the enterprise.
Other vendors take a more solution-specific stance. ShoCard (www.shocard.com), which has an enterprise identity authentication solution in its toolbox, ranks among them. So, too, does Revel Systems (www.revelsystems.com), which offers pre-configured networking hardware.
- Insist on containerization/sandboxing. Separating guest networks from corporate networks of any type via containerization/sandboxing isn’t a must only because it reduces the potential for compromising the latter. It is also imperative because at one time or another, guests will arrive at hotels or restaurants with mobile phones, laptop computers, or other devices that are, unbeknownst to them, already infected with malware or the like. If they connect these devices to a corporate network, that network can become an easy target for hackers. Moreover, when network configuration calls for separating guest networks from corporate networks, operators remain sufficiently nimble to innovate without compromising network security—or the security of guests’ data and devices.
Under a containerization umbrella, several virtual isolated network environments exist on one converged network. Connected devices with a common function and individual cadre of users are provisioned into virtual IoT “containers” (i.e., “containerized”), and users can only see and interact with other users in the same “container” or “sandbox.” For instance, hotel or restaurant guests can only interact or play in the guest network “container,” connecting to guest Wi-Fi. They cannot see or interact with devices that are part of the corporate network, or the IP cameras and alarm systems in the security team’s “container.”
Some hotels take the network “separation” idea one step further by creating personal area networks (PANs) for guest rooms. PANs enable guests to interact with in-room technology like smart TVs, as well as with IoT devices like thermostats and intelligent room assistants. However, the interaction stops in individual rooms to shore up security; guests cannot, for example, harness the network to connect to the smart TV in the next room.
On the implementation side:
- Take precautions. This starts with changing default passwords to regulate network access. Trustwave (www.trustwave.com) advocates creating passwords that combine symbols with numbers and upper-and lower-case letters, but also exceed 26 characters in length. Some sources recommend strong authentication that transcends “better” passwords and involves the use of a token-based system to generate temporary keys they can distribute to employees and guests to access the appropriate network.
An equally important precaution: restricting access to networks. Harrington counsels hotel and restaurant operators to create policies that grant or deny access to individual devices and networks based on time of day, location, and roles/responsibilities. Network access management software can help here, he adds.
- Break the implementation into stages. A gradual rollout will leave much-needed leeway for testing and adjustments to network security configurations and solutions. It will also make the training process described in Step #5 much easier for employees because they will not be overwhelmed with too much information at one time.
5. Execute employee training.
When it comes to network security, training employees entails:
- Documenting all policies and procedures. This includes everything from basic, common-sense rules (like no sharing of passwords) to best practices (such as never using the guest network for business purposes and keeping an eye out for suspicious or potentially breach-inducing activities, e.g., a guest attempting to connect a personal device into the corporate network). Employees should be required to confirm in writing that they have read the “policies and procedures” document and understand their security-related responsibilities and obligations.
- Choosing the right trainer. “While security people and security trainers are passionate and have a lot of expertise, the message may be better coming from someone else on the business side,” Stuntz states. This, he asserts, removes some of the fear inherent in discussions about network security. Additionally, it encourages active participation in the training process, in turn making that process more effective.
- Focusing on business benefits. Operators must assume that employees are not interested in becoming network security experts and prefer to focus on fulfilling their job responsibilities. Given this, incorporate in training content how improvements in network security can reduce fraud, save time that would otherwise be devoted to breach response, and otherwise make it easier for staff to go about their work.
Similarly, the more operators focus on rewarding employees for compliance with network security procedures, the better because it paves the way for easier buy-in to policies, Harrington and other sources say. Conversely, shaming staff for “doing the wrong thing” (e.g., failing to follow set procedures) engenders fear and impedes cooperation with mandates intended to foster network security.
6. Prioritize ongoing maintenance and monitoring.
No matter how thorough the initial risk and vulnerability assessments described in Step #1, network security requirements will change as new threats surface and new applications and endpoints are added to restaurant and hotel systems. For this reason, continued attention to maintenance and monitoring is imperative and must entail:
- Comprehensive patch management. Operators should remain abreast of patch release dates and be proactive about requesting them from vendors should they not be received in a timely fashion.
- Periodic router updates. There is strong potential for eavesdropping on the network if routers are not updated to patch security flaws.
- Spot-checking all systems and networks. Look carefully for anomalies, such as IoT devices talking to each other when this should not be the case, access to networks by unauthorized parties (e.g., a guest has somehow accessed the corporate network, even if inadvertently), and the movement of data across or into a given network when it should not be there. Scrutinize event logs for anomalies and instances in which event logs were cleared; the latter may signal unauthorized infiltration of the network.
- Ongoing risk and vulnerability assessments. Such assessments should be carried out yearly at minimum; quarterly assessments are ideal, sources say.
Hackers and other perpetrators doubtless will continue to seek out and find new means of compromising hotel and restaurant networks for financial gain (and perhaps, other nefarious purposes). At the same time, operators themselves will be compelled to leverage their networks to connect a wide variety of applications and technologies intended to engage guests, improve operating efficiencies, and of course, sharpen their competitive edge. Those that take a proactive, methodical approach to securing the network — and keeping it secure — as part of their overall technology strategy stand to gain the most despite any threats they encounter along the way