SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Securing hotel technology to protect customer information
Mon, 10th Dec 2018
FYI, this story is more than a year old

The threat of cyber attacks is increasing on a global scale. The recent Facebook security breach, which exposed the personal information of over 50 million users, highlights the growing importance of cybersecurity in a world that promises to become ever more hyper-connected.

Perhaps not surprisingly, hackers are eyeing the hospitality industry as a source of lucrative customer information that can be sold on the dark web. For example, the Darkhotel group, which has reportedly been active since 2014, routinely compromises in-house Wi-Fi networks to target C-Level executives and government representatives staying at luxury Asian hotels. Recently, Chinese state media reported that nearly 500 million pieces of customer information relating to the Huazhu Group, one of China's largest hotel chains, went up for sale on a dark web forum.

Moreover, network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices. This significantly increases the number of endpoint devices that are potentially vulnerable to attack, including smart door locks, intelligent thermostats and in-room multimedia streaming systems.

Below are some security best practices that hoteliers should keep in mind to improve the guest experience and inspire confidence in a brand by ensuring that customer data remains secure throughout a hospitality property.

Adopt the latest security standards

Firstly, securing data in transit is essential, especially if hotel guests and employees connect to the Wi-Fi network for business purposes. As such, hotel IT departments should consider adopting the newest security standards, such as WPA3, launched earlier this year.

The variation of WPA3 significant to hoteliers is WPA3-Enterprise, with features such as Wi-Fi Enhanced Open, which enables organizations to implement a secure, open wireless network environment, reducing the chances of man-in-the-middle attacks.

The user experience is also crucial for guests and visitors in public hotel spaces such as lobbies, restaurants, stores, pools and fitness clubs. In the recent Ruckus State of Wi-Fi in Asia Pacific survey, less than one in four (24%) of respondents in APAC and Singapore had a good experience with public Wi-Fi. As a result, only 14% of users in APAC and 17% in Singapore connect to public Wi-Fi most or all the time. WPA3 will be able to address the issue of confidence in public Wi-Fi security, as all data transmitted, including through open and public networks, will be encrypted.

Only allow authorized access to networks

Second, it's important to determine who should have access to the network, and who shouldn't. Authentication policies based on digital certificates will ensure that only approved users can connect to the network.  At the back of the house, IT administrators should identify and authenticate all devices before granting them access to Wi-Fi networks, VPNs, or gateways. This means exerting greater control over the network, for example, by issuing certificates to new employees and revoking certificates when an employee leaves the company.

In addition, administrators can leverage role-based policies to ensure that even when users have access to a network, they are only able to access network resources they should see. At the most basic level, hotel guests should be granted different access restrictions as compared to employees. Furthermore, employee access should be scaled to ensure that only privileged and trusted users can access sensitive or critical operations.

In conclusion

At the end of the day, it is important to recognize that hotel networks need to have clearly defined roles (and permissions!) as to what they're allowed to do on a network. Given that the bulk of devices that connect to a typical hotel's network are usually BYOD, or even IoT-based, on both the corporate and guest networks, IT departments must have the right view into these devices, and at the same time be able to act to protect both the network and end user in case suspicious actors come into play.

In managing both guest and corporate network access, hotel IT departments should look to deploying the right solutions that will not only enable simpler onboarding and authentication, but one that is also secure and scalable, while also providing an optimal user experience.

After all, hotels are responsible for the physical safety and security of their guests; this should naturally extend to the safety of their digital properties as well.