The hospitality industry in 2010 experienced the most data security breaches of all market sectors, say IT consultancy Orthus.
Hospitality businesses accounted for 38 per cent of all data security breaches reported in 2010. When compared to 19 per cent for financial services and 14pc for retail businesses. What factors account for the dramatic increases in this
sector? Why is this industry suddenly so vulnerable to attack? What can we do about it?
One of the primary reasons that the industry is fast becoming a favourite target for hackers is the vast amount of credit card data it processes, transmits and stores across their networks.
Hotels specifically with their need to conduct charge backs or maintain customer data in their systems amass a huge amount of sensitive credit card data across their networks. While other industries subscribe to the “less is more” approach continually cleanse their networks of card data – this approach is not operationally achievable in the hospitality sector. This and the fact that the hospitality industry is not known for stringent network security due to its penchant for outsourcing their ICT infrastructures has resulted in the hacking community’s recent recognition of the easy target they are.
When businesses outsource their ICT requirements, simple basic security defences such as well configured firewalls, logging and intrusion detection or prevention systems are often overlooked leaving these managed networks wide open to unauthorised and unrecorded access. If security is considered and deployed, it’s usually after the fact or as the result of regulatory (Payment Card Industry Data Security Standard) or legislative (Data Protection Act) requirements. This “bolt on” network security approach is not as effective as “security by design” and does not result in the strongest defences against hackers. If for example you wanted to build a fence to surround your property and keep trespassers out, you would build the strongest fence possible within your budget ensuring a design conducive to turning away intruders. But if your city or council came to you and told you to build a fence, you would only build it where told and design it to meet their requirements.
This second fence surely wouldn’t be as effective as the first in preventing intruders. This quite simply illustrates the problem in the hospitality industry: if they have a fence at all – it is only there because they were told to build it by someone else. Hackers like intruders can spot a good fence or a bad one quite easily. This industry is fast getting a reputation for bad fencing.
Besides credit card data, hackers target customer personal data for purposes of identity theft. Once again large volumes of personal information is processed, stored and transmitted in the hospitality industry with little or no understanding of its worth to hackers. Personal data is extremely valuable to the hacker community. Why? To commit identity theft you need identity data. A person’s name, date of birth, address and national identity number for example can be sold on the internet for £1 per record. A customer data base then of some 5000 records can be sold for £5,000. Database theft is big business to hackers today with rewards reaped through both credit card and identity fraud pay outs.
While the hospitality industry recognises the value of detailed customer information in their efforts to provide world-class service (smoking/non-smoking, dietary habits or existing medical conditions), they do not understand that this same information may be valuable to hackers. Quite simply, they do not understand that data = cash to a hacker. Consequently, they do little to protect it.
Solution
If you’ve read any information security white papers before you would have heard that there are no security silver bullets. Computer security is an oxymoron. There is no such thing as a secure network. No matter what you do, you cannot
guarantee that your business will not experience breach. The most effective approach therefore is risk management. The best you can do to prevent data breaches is to implement cost-effective processes to identify, minimise and manage the security threats to your business.
The Payment Card Industry (PCI) Data Security Standard (DSS) for instance should be implemented as a risk management framework. All the stated controls should be aligned to your business processes and objectives to be effective. It must not be implemented as a checklist. If you do, it will have little effect on preventing a breach. The only real solution then is to implement a security programme based on risk management principles instilling a clear understanding in your stakeholders of the value of the data.
