Addressing privacy compliance and cybersecurity is becoming more and more challenging for companies. At least 26 states are considering various kinds of data privacy laws. At the same time the rate, depth, and impact of ransomware, wiperware and data breaches has become more intense and more expensive, and there is no indication that the trend will end soon. Hotel companies, as holders of significant amounts of personal information and highly dependent on computer networks for daily operations, are particularly at risk in this environment.
A hotel company that seeks to comply with privacy mandates, and to prepare for and defend against a data breach, requires knowledge – it requires visibility.
What does that mean? To achieve visibility, a hotel brand, manager or owner needs to increase its knowledge of key elements of its data infrastructure:
See Your Network
Most hotel executives, other than chief technology officers and chief financial officers, have little knowledge of their network. But understanding what data is stored on the network, how the various parts of the network interact, and who has access to the network (and what kind) is essential to evaluating risks, complying with privacy laws, and preparing and defending against attacks. This means not only knowing what is supposed to be on the network, but the “silent” nodes as well – things like unused servers and the devices that attach to the network, such as personal laptops, smart phones and tablets. As hotels become increasingly automated – by relying on smartphones to substitute for keys and allowing touchless registration – being able to see the full scope of the network is challenging but essential.
Part of seeing the network also means seeing what is happening on the network. A hotel brand or manager needs to know when there is a threat, where it is, and how to contain it. Simply having firewalls and other endpoint security isn’t enough; it’s too easy for hackers to gain access to the network. Being able to “see” what is happening on the network in real time is what can allow a company to defend itself. Age is good for wine, but not for a breach response. When a breach is in process, speed is essential.
See Your Data
Surprisingly, many hotel companies are not fully aware of the data they collect, save and process – but this is key to complying with data privacy laws. A hotel brand or manager needs to know:
What data does it collect? What data does it need to collect? How does it collect data – directly from users, clients, and consumers, or through third parties, such as OTAs and third party websites? Where it store the data? How does it use the data it collects – particularly personal information of guests and employees? Who has access to the data?
The GDPR, the CCPA, the Virginia and Colorado privacy laws, the Utah privacy law being considered now, and each other statute currently proposed in the United States requires disclosure of each of these factors – and that knowledge is necessary to comply with consumer rights under those laws. A key question is differentiating between the data you collect and the data you need; companies need to recognize that there is no benefit in collecting data that’s not necessary. There is often a sense that “we might want to have this information in the future,” but that rationale does not stand up in today’s environment. Instead of being something of potential future value, collecting, storing, and using data that isn’t necessary for running a hotel business creates liability.
See Your Software
During the past year, understanding the extent of the software a company uses – and the software that its key vendors and partners use – has become increasingly important. The Log4j experience made it clear that if a company doesn’t know the software it relies upon, it cannot take preventative and reactive action to mitigate risks. Companies should create a “Software Bill of Materials,” identifying the software used by or for its business, and should understand how the software is managed, licensed, and supported. The hotel industry is particularly reliant on third party software, whether it be for property management, reservations, or point of sale operations.
The Log4j issues also emphasized how important it is for companies to consider their use of open-source software. Open-source software is ubiquitous, but it is not always well-managed or updated, and is often overlooked when evaluating a company’s risk profile. Hotel companies need to understand what open source and other licensed software is imbedded into their essential software functions.
See Your Vendors
Hotels have always been aware that vendors not only provide essential services; they do not, however, always recognize the risks and vulnerability to bad actors those vendors create. Simply stated, when a vendor has access to a hotel network, a hacker can access a hotel’s network through the vendor. The situation is more complicated because vendors rarely act alone – they themselves have vendors, and those vendors have vendors, and so on. Even when a company can achieve a degree of comfort with a direct vendor, it may be difficult, if not impossible, to do the same with the vendor’s vendors, who do not have a direct relationship with the hotel.
The hotel industry can address some of these issues by taking a systematic approach to engaging new vendors and evaluating current vendors. Key steps include:
Qualifying vendors by doing a deep dive into their past performance, their privacy and security qualifications, and other key issues. Enter into strong data security agreements, whether as part of a vendor contract or as an addendum. Identifying their key vendors, and at least attempting to obtain similar information about those subvendors. Regularly repeating this effort – vendors can change, and a regular (at least annual) review of their practices is essential, especially as vendors change ownership regularly.
Visibility, by itself, doesn’t prevent a malware attack. Without taking other measures – such as a thorough incident response plan – it won’t ensure an effective response or compliance with privacy laws. However, a company that fails to take elemental steps to understand its network, data, software, and vendors will be more vulnerable and non-compliant. The risks of not taking these steps far outweighs the time, effort, and cost of the effort.