• TechnologyInnovator
• EnterpriseInnovator
• SecurityInnovator
• WirelessInnovator 

• NextInnovator(at)Live.com
• No spam, subscription newsletters, solicitations, or attachments please!
• Attn: Harold Abraham, Chief Innovator

• Over the River
• eMarketer 
• TechnologyPundits
• Security Insights Blog 
• McAfee AudioParasitics
• Strand Consult
• Ovum
• The Eye For Innovation
• Rethink Research
• Innovation Insights
• Innoblog
• Strategy and Innovation
• The Gadgeteer
• Handheld Speech
• Ghost City

• IT Headline News
• Mobile Enterprise Headline News
• Grid & Supercomputing Headline News
• Bio & Life Science Computing Headlines
• Nano-Computing Headline News
• Telecom Headline News
• Network Headline News
• Desktop & Workstation Headline News
• Server Headline News
• Chip Headline News
• OS Headline News
• Storage Headline News
• Enterprise Security Headline News

 

Hotel employee training has traditionally focused on guest service. Standards exist for everything from how to properly place the spoon across the teacup to how to place the remote control on the nightstand. These standards create a memorable and positive guest experience.
With so many standards - as well as sometimes high employee turnover - hotels often spend a significant amount of time training and retraining employees.

What's absent from most training programs is a discussion of hotel information security safeguards.

Many hotels associate "security" with physical rather than information security. At best, employees receive security training about loss prevention and guest safety.

In this era of unprecedented identity theft paired with increasing state and federal regulation, employees must be trained to protect guests' virtual security as vigorously as their physical security. Otherwise, many hotels likely will face security breaches and other consequences of lax training.

According to a 2006 CompTIA information security survey, 60 percent of all incidents in 2005 were caused by human error. This means that a high percentage of the security incidents in 2005 could have been prevented if employees had been trained properly. Training employees is the low hanging fruit of the information security world, and the sooner hotels get started, the better.

What's Your Preference: Hackers Want to Know

Personalized guest service in the finest hotels has always been about knowing the preferences of the best customers and then exceeding their expectations. Until recently, this knowledge was locked up securely in the heads of seasoned hotel employees who knew what their most frequent visitors wanted and how to take care of them.

In this high-touch world, security was as simple as committing vital guest information to memory.

Today, however, personalized service has become the rule rather than the exception. Hotels now use complex relational database systems to store knowledge about their guests, such as the blend of their favorite whiskey, and the names and birthdays of their children. Hotel employees use this information every day in every department of the hotel, and they access the information using multiple applications that store the data in different databases each with different levels of security. Access to information no longer is a matter of remembering guest preferences. Therefore, securing guest information requires much more than simple employee memorization.

The ABC's of Security Awareness Training

All information security awareness training programs should begin with training employees on specific hotel information security policies such as acceptable use and electronic mail. These policies ensure that employees clearly understand their responsibilities regarding the hotel's computer systems. In addition, the following five subjects should be taught to all hotel employees:

>> No. 1: Protecting all guest data.

Before employees can be expected to protect guest data, they first must understand what data should be kept confidential. It's reasonable to assume that most employees understand they should protect guest credit card information, but they may not worry about keeping guest preferences confidential. Keep in mind that employees must protect guest data in all of its forms, including printed reports and receipts as well as electronically on computer screen.

>> No. 2: Creating and maintaining strong passwords.

Despite many advances in access-control technology, most hotels today still use passwords for authentication; many employees must remember multiple passwords for all of the different hotel systems. Creating strong passwords that are easy to remember is the most important skill an employee can learn to protect guest data.

Here is a simple system for creating safe-yet-memorable passwords:

The License Plate Method

Step 1: Think of your favorite phrase or one that you use often.

Step 2: Now imagine that you need to put the phrase onto your new vanity plate. For example, substitute the number 4 for the word "for" and the letter U for the word "you." Be creative.

Step 3: Use punctuation or quotation marks to make the password at least eight characters long.

Now you have a strong password that is difficult to guess yet easy to remember.

>> No. 3: Recognizing the most common types of attacks, especially social engineering attacks.

Many of the techniques attackers use to gain access to a network involve tricking users. These techniques are commonly referred to as "social engineering." Social engineering scams dupe employees into taking some action - such as giving out contact information over the phone or clicking a link in an e-mail - that opens the doors for attackers.

The 2006 Better Business Bureau Identity Fraud survey reported that one-third of the $5.7 billion lost in 2005 to computer crime was related to "phishing" scams, a social engineering technique using fake e-mails that link to malicious Web sites, yet most hotel employees have never heard of the term.

Training employees to recognize these kinds of attacks before they click on the wrong link or give out sensitive information will go a long way toward preventing a security breach.

>> No. 4: Knowing what electronic countermeasures are in place and being able to recognize alerts.

For those attacks that do not involve user interaction, electronic countermeasures, such as anti-virus and anti-spyware, usually will pick them up and issue an alert. However, employees must be trained to recognize and respond to these alerts or they will simply ignore them. Knowing what the alert means and how to report it is critical to stopping attacks.

A countermeasure of particular frustration to many hotel employees is website content filtering software. Content filtering software is a critical part of a hotel's electronic defenses; however, oftentimes an employee will be locked out of a perfectly legitimate Web site because the site happens to contain too many suspicious attributes. Teaching employees how content filtering software works and why it is important will help ease the pain associated with using it.

>> No. 5: Recognizing and responding to a security incident.

Every hotel should have a policy in place for how to handle security incidents, and every employee should know how to implement it. Although most security incidents are as benign as a virus being caught and quarantined, all incidents should be reported and logged. On that rare occasion when a hotel's computer network is under attack, an eagle-eyed employee can mean the difference between a close call and a security breach that compromises guest data.

Will security awareness training solve all of a hotel's information security problems? No.

Will trained hotel employees be able to stop a determined attacker from gaining access to specific information? No.

So why train? Because trained hotel employees, in concert with strong electronic countermeasures, will be able to combat most attacks.

Marcus Bruninghaus is CEO of PISA Security Inc.