Story image

Securing hotel technology to protect customer information

10 Dec 2018

Article by Ruckus Networks Asia Pacific director of business development, Vasudevan Venkatakrishnan.

The threat of cyber attacks is increasing on a global scale. The recent Facebook security breach, which exposed the personal information of over 50 million users, highlights the growing importance of cybersecurity in a world that promises to become ever more hyper-connected. 

Perhaps not surprisingly, hackers are eyeing the hospitality industry as a source of lucrative customer information that can be sold on the dark web. For example, the Darkhotel group, which has reportedly been active since 2014, routinely compromises in-house Wi-Fi networks to target C-Level executives and government representatives staying at luxury Asian hotels. Recently, Chinese state media reported that nearly 500 million pieces of customer information relating to the Huazhu Group, one of China’s largest hotel chains, went up for sale on a dark web forum.

Moreover, network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices. This significantly increases the number of endpoint devices that are potentially vulnerable to attack, including smart door locks, intelligent thermostats and in-room multimedia streaming systems. 

Below are some security best practices that hoteliers should keep in mind to improve the guest experience and inspire confidence in a brand by ensuring that customer data remains secure throughout a hospitality property.

Adopt the latest security standards

Firstly, securing data in transit is essential, especially if hotel guests and employees connect to the Wi-Fi network for business purposes. As such, hotel IT departments should consider adopting the newest security standards, such as WPA3, launched earlier this year. 

The variation of WPA3 significant to hoteliers is WPA3-Enterprise, with features such as Wi-Fi Enhanced Open, which enables organizations to implement a secure, open wireless network environment, reducing the chances of man-in-the-middle attacks. 

The user experience is also crucial for guests and visitors in public hotel spaces such as lobbies, restaurants, stores, pools and fitness clubs. In the recent Ruckus State of Wi-Fi in Asia Pacific survey, less than one in four (24%) of respondents in APAC and Singapore had a good experience with public Wi-Fi. As a result, only 14% of users in APAC and 17% in Singapore connect to public Wi-Fi most or all the time. WPA3 will be able to address the issue of confidence in public Wi-Fi security, as all data transmitted, including through open and public networks, will be encrypted. 

Only allow authorized access to networks

Second, it’s important to determine who should have access to the network, and who shouldn’t. Authentication policies based on digital certificates will ensure that only approved users can connect to the network. 
At the back of the house, IT administrators should identify and authenticate all devices before granting them access to Wi-Fi networks, VPNs, or gateways. This means exerting greater control over the network, for example, by issuing certificates to new employees and revoking certificates when an employee leaves the company. 

In addition, administrators can leverage role-based policies to ensure that even when users have access to a network, they are only able to access network resources they should see. At the most basic level, hotel guests should be granted different access restrictions as compared to employees. Furthermore, employee access should be scaled to ensure that only privileged and trusted users can access sensitive or critical operations.

In conclusion

At the end of the day, it is important to recognize that hotel networks need to have clearly defined roles (and permissions!) as to what they’re allowed to do on a network. Given that the bulk of devices that connect to a typical hotel’s network are usually BYOD, or even IoT-based, on both the corporate and guest networks, IT departments must have the right view into these devices, and at the same time be able to act to protect both the network and end user in case suspicious actors come into play.

In managing both guest and corporate network access, hotel IT departments should look to deploying the right solutions that will not only enable simpler onboarding and authentication, but one that is also secure and scalable, while also providing an optimal user experience.

After all, hotels are responsible for the physical safety and security of their guests; this should naturally extend to the safety of their digital properties as well. 

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.