Is Your Business Center Computer an Incident Waiting to Happen?
Did you see the DA’s closing argument on your hotel’s… business center computer?
I did. Perhaps not on your company’s business center computer, but quite recently I encountered such a document on a hotel’s business center computer. Beyond this document it appears that an individual from the hotel’s parent company used the computer as well. Someone had connected to their OneDrive account and left everything that OneDrive was synching on the business center computer.
Guests frequently leave word documents, spreadsheets, PDFs, and pictures in common places such as the desktop and library folders such as “My Documents,” My Pictures,” and “My Downloads.” A case can be made that if a guest leaves their data behind, that is their fault for being careless. But as a member of the hospitality industry, you do not care about fault, you care about maintaining an exceptional guest experience.
Quite often it isn’t the guest’s carelessness that resulted in private information being left behind. Windows and associated application create temporary files. Browsers have been known to leave pictures of inboxes, or even whole messages when online email services are used. Whose job is it to clean out these temporary files? There are several locations these files live in; not only temporary Internet files. Would a guest be expected to know that a file called ~WRL0411.tmp residing in the directory C:\Users\guest\AppData\Roaming\Microsoft\Word\ was a Word document they had been working on? Did you know that was one of many locations that temporary files are found? I’m sure the guest at one hotel I stayed at was not aware that the confidential national security related document he had been working on was left behind as a temporary document in a temporary documents folder at the hotel. All I saw was the name of the former White House Cybersecurity czar, and a watermark telling me that I didn’t want to know what else was in the document; but another person finding the file might want to read on. Was it the guest’s job to track down and delete all temporary files, or the hotel’s job to take the trash out?
Let’s move on to your security risks before we go full circle to solutions.
From a security management posture, the business center computer must be viewed as an endpoint. If this endpoint is compromised, an attack may be able to use this compromised computer to begin lateral movement in your organization. What access control restrictions for the guest computer do you have in place? Are you sure? What account and credentials does the IT administrator use to log into the business center computer for administrative tasks?
In many business center computers I have inspected, operating systems were out of date and security products were out of date. In 2018, I have seen business center computers running Windows XP and Windows 7. If insecure operating systems were not enough, users were allowed to download and install software. What could go wrong? Perhaps a keystroke logger? This begs the following questions. Is your business center computer connected to the business network? Does the IT administrator who maintains the business center computer log in with their domain credentials? Can a guest boot from a thumb drive? Great, your business center computer is not on the network.
Wi-Fi can be another source of compromise. There are many legacy routers that have security flaws that cannot be patched. Even if a router can be patched, have you updated the BIOS recently? Many people use default usernames and passwords.
There is an additional business liability when guests are allowed to install software. There are many products that are free for personal use, but not for commercial use. It is the business owner’s responsibility to ensure that there is no pirated software on the computer. From a legal perspective, and I am not a lawyer, it may be the computer owner’s responsibility to ensure there is no illegal content on the computer. This should be of particular concern to small operators, such as one participating in Airbnb. What is considered to be illegal content is not the same in all countries. A large hotel chain may get away with fines for non-compliance, but when the proprietor of a business uses the same computer they let their guests use, it can become extremely difficult to convince the authorities that illegal content on the computer was left behind by a guest.
For a small business without in-house security expertise, it is advisable to hire a consultant to help set up a secure system. A managed security provider (MSP) can provide a one-time consultation or continuous security services, which include patching and updating systems as required.
For most businesses that provide computers for guest use, the most effective solution is likely to be kiosk software. There are a variety of choices of vendors providing these security solutions. Quality kiosk solutions will limit the use of the computer to a set of predefined applications. After each session content will be deleted from the computer. Content filtering can prevent guests from downloading inappropriate content or executing any software. Some solutions will also integrate secure Wi-Fi systems.
It can be a bit frustrating for a guest when limitations prevent them from doing what they would like to on the business center computer, but sometimes the best way to ensure a guest’s privacy is to protect them from themselves. This also can increase corporate security and eliminate some liabilities.