As we enter the endemic stage of COVID-19, it seems the pandemic of cyber evildoers is still spreading. On a daily basis (or maybe even hourly) we see more and more attacks via email, messaging and social media. They pit the best and the brightest in the phishing space against the best and the brightest in the security space and – more often than not – the best and the brightest in the artificial intelligence (AI) space.
For large teams security is a tough, but necessary task – ensuring protection can be a Herculean challenge. For small teams, attacks may become everyday occurrences they have to deal with while keeping their operations moving forward.
Home Offices Bring Added Challenges
Remote working has exacerbated the problem. Most of best protection was designed around people being in the office, with end point protection, expansive firewalls with intrusion protection and detection, and even zero-day heuristics, which can find malware in ways that anti-virus software can’t. By comparison, most home offices have a consumer grade router that came with the homeowner’s Xfinity Google Fiber monthly subscription.
Some organizations have started to deploy better, centrally managed security appliances to home offices, but they often require a technical resource to install and segment. This further blurs the already really fuzzy line, between work and nonwork. Unless the work segment is completely separated from the home segment, security teams may wind up chasing false positive threats from family users death-scrolling clickbait on TikTok or binge-watching Ozark on Netflix.
Some services that will manage at-home security for you, but they’re often pricey.
Even teams that had a remote work infrastructure in place are left with scalability issues. Licensing for VPN connections and firewalls designed to protect inside traffic are taxed with having to support many more connections than before. In 2019 an office might have had 10% of its workforce connecting remotely, now 50%-80% – or more – are connecting on a frequent basis.
Rather than scale a local network, most IT teams I work with are pushing further and further into cloud solutions like Microsoft Office 365 and Amazon S3. This allows them to leverage cutting-edge solutions and security that simply aren’t available on their local networks.
Hotels Have Specific Needs
Hotel teams are the most impacted. Corporate workers had tools from day one, but hotels often use on-premise property management systems (PMS). Even the largest brands are predominantly solutions that physically live at the hotel – frequently behind solid firewalls, but with unmanaged and decrepit switches. This works well for team members on site, but accounting or sales staff are often working remotely on at least a hybrid model. Management companies, too, are doing more and more with centralized teams.
It often makes sense to have accounting and sales work in the field. But I’m seeing more and more hotels setting up solutions where private branch exchange (PBX) operations and in-room dining are offsite, using virtual machines to connect to jump computers on site and log into the PMS and point of sale systems (POS).
This requires a lot of heavy lifting. Most hotels POS systems aren’t ready for remote access and guaranteeing security is tricky. Point of sale is, obviously, a credit card environment. While folks who take remote room-service orders aren’t touching credit cards, we have to protect those systems just the same. Bringing third-party remote networks into PCI scope and controls is painful. One project took over $20,000 and eight months from inception to success. Some of this was related to hardware shortages, some to old systems connecting to new, but again, it took eight months to get it working.
It gets even harder when brands are involved. Marriott and Hilton typically manage all or most of their hotel networks – almost exclusively those segments where PMS and POS reside. Brands are good at helping management companies connect remotely where needed, but are rightfully concerned when third parties connect. They often have rules or systems that actively prevent such access.
Hotels will have local systems running on local networks for at least the next four or five years. Take the steps to enable your teams to use them from wherever they are, and make security a priority.
YOUR SECURITY CHECKLIST
- Remote work is here to stay. We need to build better security to remove friction, but protect our teams and guests. If your operation is looking to better enable remote work, here are some lessons we have learned:
- Team members need mobile device management on both their computer and their mobile devices. It’s no longer acceptable to only protect some systems.
- Create a standard for remote office security – hardware and software. This might require providing a security appliance that can be installed easily and segment work from home. A work only service set identifier (SSID) – a fancy term for the name you give a WiFi network – is ideal. It’s even better if you can tie that network into a central security and identity platform. Providing a kit is important. Being able to test that solution is also important.
- Consider zero trust networks, which perform continuous authentication and monitor each network access attempt, for systems that need to connect back to centralized systems managed by the company.
- Institute a rock-solid patch management program for end-user devices.
- Require security scans on a frequent basis.
- Plan to report on all your efforts; include success and failures.
- Invest in technology that lets you remotely reimage systems without depot or shipping. This has saved my teams more time than I can count. As remote working expands, this will be key.
- Use caution when it comes to third parties connecting into hotel networks.
- Every user must have their own credentials.
- All entry needs to be logged, and the logs backed up.
- If a user hasn’t connected for a certain period of time, the system should automatically disable that access. I recommend 30 days.
- If working for a branded hotel, be clear on what the rules are, what you can access and what controls the brand mandates. Don’t think you can just put a jump-computer on your network and the brand will never notice.
- Actively test connection security and be ready for the system to shut down access if anything looks off.
- Don’t be afraid to ask these partners to confirm security via a qualified security assessor (QSA). These independent security organizations can validate a company’s adherence to PCI Security Standards Council standards.