Produced by Hospitality Financial and Technology Professionals

2004 Hotel Security SurveyPresented by Dr. Cihan Cobanoglu

Assistant Professor, University of Delaware, Manager CRM and Security Practice, Network Frontiers

Dorian J. CougiasAdjunct Professor, University of Delaware,and CEO, Network Frontiers

Introduction

• Technology became inseparable from hospitality operations.

• Technology becomes a part of the DNA of the company.

• Information security is getting more important.

And we are all under compliance

Assurance is key

Introduction

• Every day thousands of major security breaches occur in the public and private sector, resulting in serious financial and property losses (Flink, 2002).

• 75% of email is spam (EWeek, 2004).• In 2003, every single computer was

attacked by a virus at least one time.

What you can lose…

What cango awry

Documents Apps OSes Storage Hardware Network Power BuildingConfidentiality 4 4 4 4 4Integrity 4 4 4 4 4 4 4 4Availability 4 4 4 4 4 4 4 4

Purpose of This Study

To analyze security practices of electronic information, network

threats and prevention techniques in hotels.

Objective of This Study

To help information technology directors or chief information officers with policy development for security

of electronic information in chain hotels in the United States.

Problem Statement

• In every level of hotel management, networks are involved. (Cobanoglu & Cougias, 2003).

• In the property level, there are local area networks where reservation, front office, restaurant management, payroll, accounting, human resources, and other systems reside.

• In addition, hotels may offer high speed Internet access (wireless or wired) to their guests in their hotel room or other areas in the hotel.

Review of Literature

• It has been calculated that the total volume of information is increasing at the rate of some 12 percent a year.

• Managing this information has become a major challenge- to public authorities, to companies, to private individuals (Daler et. al. 1989).

• The Internet now goes into over 120 nations around the world and has approximately 605 million users (NUA Internet, 2004).

Security Procedures Protect Hotel’s DNA

CRS Inventory CRM POS E-Mail

Datasets

PMS Billing Sales OpsBack Office

Processes

Refunds AR/AP Reporting UnstructuredSupply Chain

Documents

A Hotel Computer System

FOHFOHBOHBOH

PMSPMSCORPORATECORPORATEACCOUNTING ACCOUNTING

SYSTEMSYSTEM

CORPORATECORPORATERESERVATIONRESERVATION

SYSTEM SYSTEM

, MIS, EIS, MIS, EIS

FORECASTINGFORECASTING&&

SCHEDULINGSCHEDULING

TIME &TIME &ATTENDANCEATTENDANCE

GLOBALGLOBALRESERVATIONRESERVATION

SYSTEMSYSTEM

TRAVELTRAVELAGENTSAGENTS

CORPORATECORPORATEGUESTGUEST

HISTORYHISTORY

PURCHASINGPURCHASING&&

INVENTORYINVENTORY FOOD &FOOD &BEVERAGEBEVERAGE

INVENTORYINVENTORYSYSTEMSYSTEM

RESTAURANTRESTAURANTMANAGEMENTMANAGEMENT

SYSTEMSYSTEM(POS)(POS)

ELECTRONICELECTRONICBARBAR

DISPENSERDISPENSER

MINIMINIBARBAR

CALLCALLACCOUNTINGACCOUNTING

SYSTEMSYSTEM(CAS)(CAS)

LongLongDistanceDistance

YIELDYIELDMANAGEMENTMANAGEMENT

PAY PERPAY PERVIEW /VIEW /

CHECK OUTCHECK OUT

CREDIT CARDCREDIT CARDAUTHORIZATIONAUTHORIZATION

& EFT& EFT

PBXPBX(SWITCH(SWITCH

MAIDMAIDDIALDIAL--ININ

VOICEMAILVOICEMAILMESSAGEMESSAGE

HANDLINGHANDLING

WAKEWAKE--UPUPSYSTEMSYSTEM

SALES &SALES &CATERINGCATERINGSYSTEMSYSTEM

REMOTEREMOTESALESSALES

MARKETINGMARKETING

MAINTENANCEMAINTENANCEENERGYENERGYFIRE &FIRE &

LIFE SAFETYLIFE SAFETY

ELECTRONICELECTRONICLOCK &LOCK &

SECURITYSECURITYSYSTEMSYSTEM

INROOMINROOMENERGYENERGY

CONTROLCONTROL

SYSTEMS OFF PREMISESYSTEMS OFF PREMISE SYSTEMS INHOUSESYSTEMS INHOUSE

INTERFACE WITHINTERFACE WITHDIRECTION OFDIRECTION OFDATA FLOWDATA FLOW

Assurance is key

A Hotel Computer System

FOHFOHBOHBOH

PMSPMSCORPORATECORPORATEACCOUNTING ACCOUNTING

SYSTEMSYSTEM

CORPORATECORPORATERESERVATIONRESERVATION

SYSTEM SYSTEM

, MIS, EIS, MIS, EIS

FORECASTINGFORECASTING&&

SCHEDULINGSCHEDULING

TIME &TIME &ATTENDANCEATTENDANCE

GLOBALGLOBALRESERVATIONRESERVATION

SYSTEMSYSTEM

TRAVELTRAVELAGENTSAGENTS

CORPORATECORPORATEGUESTGUEST

HISTORYHISTORY

PURCHASINGPURCHASING&&

INVENTORYINVENTORY FOOD &FOOD &BEVERAGEBEVERAGE

INVENTORYINVENTORYSYSTEMSYSTEM

RESTAURANTRESTAURANTMANAGEMENTMANAGEMENT

SYSTEMSYSTEM(POS)(POS)

ELECTRONICELECTRONICBARBAR

DISPENSERDISPENSER

MINIMINIBARBAR

CALLCALLACCOUNTINGACCOUNTING

SYSTEMSYSTEM(CAS)(CAS)

LongLongDistanceDistance

YIELDYIELDMANAGEMENTMANAGEMENT

PAY PERPAY PERVIEW /VIEW /

CHECK OUTCHECK OUT

CREDIT CARDCREDIT CARDAUTHORIZATIONAUTHORIZATION

& EFT& EFT

PBXPBX(SWITCH(SWITCH

MAIDMAIDDIALDIAL--ININ

VOICEMAILVOICEMAILMESSAGEMESSAGE

HANDLINGHANDLING

WAKEWAKE--UPUPSYSTEMSYSTEM

SALES &SALES &CATERINGCATERINGSYSTEMSYSTEM

REMOTEREMOTESALESSALES

MARKETINGMARKETING

MAINTENANCEMAINTENANCEENERGYENERGYFIRE &FIRE &

LIFE SAFETYLIFE SAFETY

ELECTRONICELECTRONICLOCK &LOCK &

SECURITYSECURITYSYSTEMSYSTEM

INROOMINROOMENERGYENERGY

CONTROLCONTROL

SYSTEMS OFF PREMISESYSTEMS OFF PREMISE SYSTEMS INHOUSESYSTEMS INHOUSE

INTERFACE WITHINTERFACE WITHDIRECTION OFDIRECTION OFDATA FLOWDATA FLOW

Threat Matrix

Threats Physical Technical Operational

Accountability Apathy Systems can be misidentified or lose all identification

Fault isolation can be hampered by “dumb” systems, reports can be ignored

Managerial apathy can set in

Confidentiality Illicit use Physical access of systems or facilities can be breached

Malicious code can impede operations, breaching confidentiality

Authorized users can illicitly access and use confidential data

Integrity Chaos Improper setup, or unexpected manipulation can wreak havoc

Degradation, corruption, and malfunctions can bring mayhem

Untrained users can misuse or mishandle systems

Availability Loss Physical systems can be stolen, destroyed, or access can be lost Network access and data can be lost Users can be locked out of systems

Operational Loss

Technical Loss

Physical Loss

Security Scenarios

• While Cougias was doing a security audit, another employee of his took one of the main servers out of the building with a fake work-order.

• Two weeks ago, I had access to the network of Hospitality School in Thailand without any problem

• Try driving with your wireless enabled laptop in streets (war chalking).

Method - How we did the study• Population: Hotel managers who is in charge

of information security practices.• Sample: The target sample consisted of 1143

technology managers that were current subscribers of Hospitality Technology magazine as of November 2003.

• The list of the respondents is provided by Hospitality Technology magazine. All of the sample members had an email address, therefore, only the online version of the survey was conducted.

Methodology

• The survey has been adapted and expanded from 2003 CSI/FBI Computer Crime and Security Survey (CSI, 2003).

• Self-administered online survey with four sections– Security technologies– Network security threats– Perception statements– Demographics and property characteristics

Findings

• Out of 1143 sample members’ emails, 279 emails were returned as “undeliverable”, reducing the effective sample size to 864.

• 154 filled out the questionnaire, thus yielding 17.8% response rate.

Top 5 Network Security Tools and Techniques Used by Hotels

• Technique %• Anti-virus Software 84.4%• Physical Security 82.7%• Hardware Firewall 79.7%• Software Firewall 77.6%• Access Control 75.3%

Top 5 Network Security Tools and Techniques Not Used by Hotels

• Biometrics 69.4%• Digital IDs 68.1%• Image Servers 63.0%• Vulnerability Assessment Scan 42.5%• Intrusion Detection Systems 35.5%

Network Attacks

• Twenty-six percent of the respondents had a computer network attack within the last 12 months.

• The size of the hotel seems to be positively correlated with the number of attacks observed within the last 12 months (r=.72; p=.001).

Network Attack Types

• Virus 24.2%

• Insider abuse of net access 18.1%

• Spoofing 10.6%

• Unauthorized insider access 9.0%

• Denial of service 7.5%– Have you tested lately?

Who Is Responsible?

I n depen den t hacker s

3 9 %

Disgr un t led employees

2 6 %

Ot her

16 %

I do n ot kn ow

13 %

For eign Cor por at ion s

3 %

U. S. Compet it or s

3 %

Other Findings• The average financial loss created by these

attacks was $9,092 • About 50% of the respondents may hire

reformed hackers or ethical hackers as consultants.

• Only 3.7% of the respondents reported computer network attacks to law enforcements.

• The mostly used prevention tool was patching (79.5%) the holes as they were released by manufacturers of hardware and software.

Survey Conclusions

• This study is one of the first attempts to analyze computer network attacks and prevention techniques in the hotel industry.

• The results showed that computer network attacks create serious threats to hotels.

• Although, hotel companies use some prevention techniques, we observed a distributed solutions mix.

Other Findings

• Only 40% have enough resources for security

• 56.4% have enough expertise • 23.1% do not have a method of getting

rid of old user accounts• 20% are a member of IT security

organization• 38.5% never conduct IT security audit

Survey Conclusions

• Some hoteliers prefer to outsource their network and information security systems. This may have two-fold impacts on hotels: 1) If the outsourcing company is a network and information security expert, then, the hotel network systems may be more well protected.2) The dependency on a different company in such an important issue may create some problems such as data privacy and ownership.

Recommendations

• A significant number of hotels do not use and plan to use in the future some important network and information security tools and techniques.

• Some of these tools are so vital to network security that not using them is an open invitation to internal and external hackers.

• Hotel managers would do well by reviewing this list and comparing the tools used by them and implement and use multiple tools.