Tourism, especially the hotel industry, is an important contributor to Australia’s economy and continues to enjoy buoyant growth, despite the slowing of the overall economy.
Key players in this industry know the value of being vigilant against not only crimes and terrorism, but also cybercriminals.
Trustwave’s 2012 Global Security Report shows that the food and beverage, retail, and hospitality industries accounted for more than 85 per cent of all data breach investigations.
These three industries have at least one thing in common: they process credit card payments. Approximately 90 per cent of APAC investigations resulted from credit card data compromises as organised crime groups continue to target these industries, due to their well-known payment-system vulnerabilities and poor security practices.
The biggest technology issue faced by the hospitality industry today is compliance with the Payment Card Industry Data Security Standards (PCI DSS). Based on our extensive research, hospitality businesses face five common challenges when it comes to PCI DSS compliance.
Broad Attack Surface Found in the Network Environments and Ecosystems
Hotel properties host a plethora of systems including reservations, accounting, sales, food services, etc. In addition, hotels are also an amalgamation of retail merchant operations across food and beverage, retail, and traditional hospitality services.
All these departments, with their high credit card transaction volume, present a large opportunity for hackers to enter the business environment and gain profit by stealing the credit card data.
The attack surface is further broadened when a hacker discovers targets on the network that use shared resources, exploits weak passwords and shared credentials used to access systems and applications, and leverages direct connections through insecure remote-access services, applications or ports left open by the firewall.
Lack of IT Security Support
To stay competitive, fast-growing franchised and corporate-owned hospitality business often open new locations quickly, focusing on expanding their business as soon as possible – with IT security support often becoming an afterthought.
“Boots on the ground” IT security support is frequently lacking or non-existent in distributed, decentralised hospitality and retail businesses.
Lack of Information Security Awareness
Employees are often the weakest link in the data security chain. Of the hundreds of security incident investigations we performed in 2011, 87 per cent of companies that experienced a data breach did not have security policies in place and only 32 per cent of employees said they had received education on their organisation’s security policies.
This issue is even more critical in the hospitality and retail industries, where staff turnover rate is relatively high. As a result, providing a consistent education on security best practices and encouraging knowledge transfer are often difficult to achieve.
Complex IT Environments
In hotel properties, complexity occurs as the result of accommodating many disparate systems that need to co-exist and interact with each other, such as: central reservation systems; point-of-sale (POS) systems; platforms for finance, sales, guest services and catering; and physical security elements (e.g., surveillance, key cards) that tie into the data network.
This can result in tens or hundreds of devices sitting on the data network at individual properties. Even worse, each system may be in scope for PCI DSS, increasing the complexity of the compliance validation process.
No Network Segmentation
The lack of network segmentation amongst individual operators’ networks is another one of the greatest challenges. Computing and data networks are often flat between corporate and individual operations with minimal safeguards in between.
This situation enables cybercriminals to “jump” between specific locations and move around the network searching for credit card and other sensitive data to exfiltrate.
Businesses in the hospitality industry should assess their environment to determine how networks are configured and what system assets and data fall under the CPI risk profile.
By segmenting some system assets and decommissioning old systems, PCI scope may be reduced.
Operators need to take an inventory of system assets and applications to determine risks and build security and compliance into their regular business processes.
In addition, management needs to determine who is responsible for compliance efforts, policies and procedures to bring together standardisation, consistency and day-to-day management for best-practice compliance.