Spring 2021

view the Digital edition
by
Fran Worrall
Technology Leaders

Technology Rock Stars ANDREW ARTHURS

The People Leading the Industry In HU’s second annual ‘Technology Rock Stars’ special report, we feature 10 technology leaders who have set themselves apart as hospitality’s best and brightest. Selected by a panel of hotel and gaming consultants and insiders, these men and women not only are driving change within their organizations but also are at the forefront of innovation in the industry. Our profiles provide an in-depth look at their recent accomplishments and highlight their predictions for technology’s future. We also share some of their personal bests ó ranging from favorite travel destinations (everywhere from Napa Valley to New Zealand) to favorite periodicals (in addition to Hospitality Upgrade, of course). We hope you enjoy this year’s special report. ANDREW ARTHURS CIO Aimbridge Hospitality

Technology Rock Stars ANDREW ARTHURS
Technology Rock Stars MIKE RAWSON
Technology Rock Stars CHARLES BUREAU
Technology Rock Stars RICHARD TUDGAY
Technology Rock Stars JEFF BZDAWKA
Technology Rock Stars JEFF EDWARDS
Technology Rock Stars RAJIV CASTELLINO
Technology Rock Stars SARAH FULTS
Technology Rock Stars JEFFREY COHEN
Technology Rock Stars DENISE WALKER
Privacy Implications of Remote Working
The Hospitality Upgrade Annual Investment Survey Results – 2021
Making Hard Decisions in Cybersecurity
Messaging: Put to Work for Hotels and Guests By Jeffrey Parker
The Future of Hotel Lobbies
Racing Under the Yellow Flag
Cashing in on Our ‘Relational Equity’
Essential Hotel Commercial Strategies for Recovery
Please, Please Get Us Some Automation!
What Makes the Hotel Marketer Unique?
The Sobering Reality of 2020 & A Crystal Ball for 2021
How Will the Airbnb IPO Affect Your Operations?
HeadTrash

Making Hard Decisions in Cybersecurity

by
Lynn Goodendorf
Security
Share

No one wants to consider making cost cuts to a cybersecurity program because the threats are continuing and changing. However, the current reality for many companies in the hospitality industry is that spending needs to be reduced in all categories. The expense for cybersecurity can be conserved with a well thought out risk-based approach and acknowledgement that there will be a calculated increase in risk.

We must embrace the idea that mitigating risk to an accepted level is the aim and be in a position to move quickly when incidents occur. Even with a robust cybersecurity program, it is unrealistic to think that no incidents will happen. We can expect effective mitigation measures to reduce severity and magnitude.   To help companies who are faced with this difficult situation, there are proven and recommended steps that follow best practices in cybersecurity fundamentals. The place to start is to prioritize what needs to be kept and possibly improved with more focus and diligence.

The key areas to sustain and consider strengthening include:

  • Vulnerability Management
  • Access Controls
  • Anti-malware Defenses
  • Third-party Risk Assessments
  • Incident Planning, Preparedness and Response

Vulnerability Management  

As a first priority, begin with thorough software patch management and keeping up with software updates. The reason this is so important is that all cyber-attacks need an unpatched vulnerability or outdated (unsupported) software version to be able to work. The first step malicious attackers take in their planning is to run scans and identify opportunities in these areas. If unpatched items are identified quickly and resolved, it is very hard for an attacker to be successful.  

The effort required for the patch management process is often underestimated. The first challenge is that there are hundreds of patches published monthly multiplied by the number of all “computing devices” such as laptops, PCs, tablets, servers, etc.  And patches are needed on web browsers and all types of software.  Another challenge is that once a patch is published, all potential attackers know about the vulnerability, so there is no time to waste in this process. Finally, to make this task more difficult to accomplish, patches often do not correctly apply when they are automatically distributed. There are many reasons for this, but it has become a necessity to have a scanning tool to find where patches are missing.    

Auditors may only look for monthly or quarterly patching of high priority only vulnerabilities, but if your plan is to trim back your cybersecurity, scanning and patching needs to be done weekly and all patches made.  All end users can help support this effort by setting their devices to auto update on every device.

Access Controls  

The next fundamental area to defend is to be attentive to access controls, particularly passwords or login credentials. Automated hacking tools can identify a password in a few minutes or less. Lengthier and more complex passwords take longer to hack, but the sad truth is that all passwords can be compromised. Most people struggle with creating and remembering passwords so that having multiple passwords is overwhelming. The best approach is to assign each person who uses technology their own individual password manager which is money well spent.  

Along with a password manager, use of a two-factor login feature will make it very difficult for accounts to be compromised. Two-factor logins will send a unique code to a cell phone, email, etc. which must be entered to gain access.  The scope of implementation can vary.  At a minimum, make sure that IT system administrators and anyone working remotely have a two-factor feature. Ideally, provision two-factor logins to all internal technology users and to all guest websites where confidential information is stored.    

Another essential access control is to deploy and maintain firewalls. There are different types of firewalls depending on the IT architecture you have and they range from very basic to sophisticated feature, but they all serve the purpose of blocking or permitting incoming and outgoing connections to the Internet using a set of rules. Make sure that you not only have firewalls appropriate to your needs but that you also have a qualified person to make ongoing changes and manage firewall maintenance requirements.

Malware Defenses

Malware continues to be a significant threat especially in the hospitality industry and is used for ransomware and theft of personal data. There are numerous entry points and methods for malware to infiltrate a system.  Anti-virus protection is essential. For stronger protection, an advanced application whitelisting tool will block malware, ransomware and zero-day viruses. This type of technology also provides protection from attacks that use a strategy called “Living off the Land” (LotL) where a malicious hacker gains unauthorized access and then explores the environment using existing software utilities and applications to carry out an attack.

Third-Party Risk Assessments  

In 2020, the cybersecurity world was stunned by a wide scale global attack that used a trusted software system for day-to-day IT operations. This emphasizes the need to step up attention to managing third-party risks. And with the rapid growth of cloud-based applications from third parties, this is more critical than ever before.    

Experience has shown that it is not effective to send security questionnaires to third parties, and any security risk assessment tends to fail if a new contract or renewal does not require security approval first. Approaches that tend to work as contractual requirements include the following:

  • “Pen testing” is performed on third-party software. Network pen testing is performed on access controls provided by the vendor. These tests should be carried out annually or whenever there is a major change such as a new software version, new system, etc.      
  • Require audit reports or certifications such as ISO 27001 and a PCI Attestation of Compliance (AOC). Cloud providers can provide proof of registration with the Security, Trust, Assurance and Risk registry (STAR) published by the Cloud Security Alliance (www.cloudsecurityalliance.org).  

A well-managed, risk-based approach will position an organization so that incidents that occur will be minor, but the “fire station” must be prepared to roll out and respond to any size or type of incident.

Incident Planning, Preparedness & Response  

Training and review of the plans including specific scenarios can equip senior executives and all employees to handle a serious situation well. Common pitfalls are in the areas of communication including:

  • Employees failing to report indications of an incident
  • Failing to notify insurance carriers early which may be a requirement for coverage
  • Failing to alert legal counsel immediately to establish privileged communications
  • Mismanaging messaging to customers, employees and the public

System backups and other related IT recovery processes and procedures are vital to being prepared for an incident. Simple information documents with home or alternate contact details of people needed in a response can make a difference in acting quickly and if normal communication channels are unavailable or compromised.    

Overall, these are the mitigation measures that should be prioritized along with the people who know how to manage these processes and use the technology tools. Much of this effort is not sophisticated or onerous. The critical success factor is to not let any of these security measures lapse.

This is some text inside of a div block.

ARTICLES BY THE SAME AUTHOR

Discover Return On Experience

Three ecosystems — Hospitality & Leisure, Food & Beverage, and Inventory & Procurement — operate independently and together depending on your needs.

DOWNLOAD

Let's Get Digital

7 Questions to Ask Before You Invest in a Hotel Mobile App

DOWNLOAD

Heading

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

DOWNLOAD

CORE Create, Gives Hotels Control of Guestroom TV Content

CORE Create, Enseo’s property content management system, is an easy-to-use web browser allowing hotels to edit and publish user interface updates directly to guest TVs.

Download

How to Solve Labor Challenges & Improve Staff Retention in Hotels with Modern PMS Solutions

Hotel workers, like guests, want to feel engaged with the property. As labor constraints force more responsibility on fewer hotel team members, those on the front lines want to be sure their increased accountability is accompanied by more capabilities. The best way to address these concerns is through new technology, starting with the property management system.

Download
THE LATEST HOTEL AND HOSPITALITY TECHNOLOGY NEWS AND TRENDS
Siegel Communications, Inc. Located in Roswell, Georgia
Phone: 678.802.5300
Address: 12460 Crabapple RD STE 202-372, Alpharetta, GA 30004
© 2023 Hospitality Upgrade. All rights reserved.

BROWSE

WHO WE AREEventsNewsVendorsMagazineTech TalkContact us

PARTNERS

Our Events

Keep Up to Date on All Latest Industry News

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.