Bookingninjas Property Management System
Article

Data Security in the Hospitality Industry

20 May 2020 87 views

Concerns, Best Practices and Why to Consider Implementing the ‘Salesforce Platform’ with added security from Booking Ninjas

Data breaches within the hospitality industry, especially at hotels, have become commonplace. In fact, most major hotel chains have fallen victim to cyber security breaches in recent years. Large hotel companies have quickly become a top target for cybercriminals, which makes proper data security measures vital. In 2015, Verizon’s Data Breach Investigation Report estimated the annual cost of global cybercrime at an astounding $100 billion.

Data security is a crucial consideration for businesses in many industries, especially hospitality. Due to the type of data collected by these companies, any breach of data results in exponential panic across entire customer bases, which could take years to recover from, if at all. The public scrutiny, damage to reputation, and huge financial liability are enough to ensure that data security is a top priority across the industry. Hotels, motels, resorts, commercial rental properties, and apartment complexes all house large quantities of sensitive personal guest data, including names, addresses, emails, phone numbers, credit card information, as well as passport and driver license information.

cyber1.jpg

Cybercriminals, hackers, scammers, or any name you’d like to call them, target the hospitality industry more frequently than others. From their perspectives, hospitality is the perfect target. Multiple databases and many devices containing personal information and credit card details make it a treasure trove of opportunity for their survival and financial gain.

The coronavirus pandemic has resulted in a rise in this type of criminal activity. With millions out of work, new culprits with different skill sets are taking to the business of cyber-crime as a means of survival. And despite a huge drop in business during this time, security systems in the hospitality industry are at their most vulnerable.

cyber2.jpg

DATA SECURITY CONCERNS FOR HOSPITALITY BUSINESSES

Data Sovereignty

Data sovereignty addresses the rights to storage of company and customer data based on geography. Laws associated with it are in place to secure data and guarantee privacy for populations from foreign threats. The issue has taken center stage in the world, primarily due to western countries including the U.S.A. being in strong opposition to China, who basically controls their country’s internet in every facet. The differing philosophies are of the utmost importance when you consider the vast number of cyber security systems China provides and how their different philosophical viewpoint is reflected in the way their systems function. Basically, the Chinese government has the right to view any secure data held within any Chinese made cyber security system. 

The democratic data sovereignty associated with western democracies directly reflects their systems of checks and balances. Any company holds the right to release or withhold any information held secure within their cyber security system. Any U.S. or European company can fight the government and vice versa in this arena. That is not the case in China. Therefore, any U.S. or European hospitality business should understand their risk in implementing Chinese technology for the purposes of cyber security. China has been connected to many cyber attacks on U.S. hotel chains over the years.

cyber3.jpg

Other countries with similar government systems to China may be prone to leakages, hacking or data confiscation by local governments as well. That is why geographic screening is so vital to choosing cyber security software.

Financial Diligence

Researching the financial viability of a cyber security provider is another important consideration. Businesses strapped for liquid funds or just starting out may not be able to offer the same level of cyber security and innovation as more established providers. They will often resort to offering more affordable service, but you must consider the old adage, “you get what you pay for.”

Complex Ownership

Businesses in the hospitality industry usually have complex ownership structures in which franchisors, individual owners or groups of owners work with a management company as their ‘eyes-and-ears’ on the ground. They are a team that works together and takes on separate responsibilities to ensure smooth business operation. As a result, they all use varied computer systems to store data, which inevitably moves frequently across their many systems on a daily basis.

cyber4.jpg

Reliance on Electronic Payment Methods

The hospitality industry is very dependent on credit cards and other forms of paperless electronic payment methods due to the nature of their business. Hotels often require credit card information in order to make a reservation, with final payments mostly being made with the same card that’s already on file. It’s a matter of convenience for both customers and staff.

This forgone conclusion is music to the ears of cybercriminals, who’s bread-and-butter is infiltrating ‘point-of-sale’ (POS) systems to steal debit and credit card information. And once a single POS within a system has been successfully hacked, there is huge potential for the entire collection of interconnected systems to be compromised. Even worse, these types of attacks can go unnoticed in larger systems for months at a time.

Disposal Processes

Almost 20% of hospitality companies don’t have any policy in place for storage or disposing of confidential paper documents and nearly a third of them don’t have regulated protocol for storage and disposal of their customer’s electronic information.

cyber_6.jpg

Rapid Staff Turnover Rates

Training your staff with proper protocols for gathering and storing personal data safely is a paramount concern for hospitality businesses. Additional training is required to ensure the workforce knows how to identify social engineering attempts and is familiar with a company’s compliance guidelines. The fact that many hospitality industry employees are only seasonal workers or have varying degrees of necessary education is of great concern. Frequent employee transfers are also common in hospitality businesses. Especially at large, corporate chain hotels, where they advertise that option to their staff as a job incentive.

Maintaining a well-trained staff becomes increasingly difficult when you consider the high turnover rate and frequent staff transfers in hospitality. It only takes one staff member who isn’t familiar with necessary data security protocol to be taken advantage of by a cybercriminal waiting to hack into a company’s system and access sensitive information.

Human Manipulation

Cyber criminals have shifted their tactics from technological to more human approaches in taking advantage of basic human behavior. Your company’s people can be your biggest security threat because they are most vulnerable to attacks from hackers. Intruders exploit normal human behavior to steal credentials and infiltrate networks. They will play on basic human emotions like fear, trust, morality, conformity and curiosity to extort information.

cyber_7.jpg

Compliance

Data security risk in the hospitality business is far greater than just the negative ramifications to a company’s reputation should a data breach occur. The industry and political regulators have grown more strict in recent years regarding how organizations process and store personal information. The responsibility to protect people’s privacy and financial means of function has grown by leaps and bounds within the last decade. Failure to comply with more stringent regulations comes with grave ramifications capable of putting companies out of business and severely damaging their ability to continue pursuing future hospitality endeavors. There are also hefty fines levied upon those failing to protect their customers, which alone are enough to put many smaller companies out of business.

Attacks from Within

Although less common than other risks, the threat of company employees selling data to third parties without the knowledge of their employer is a very real concern for hospitality businesses. Resorts and smaller hotel chains in particular are unable to offer benefits and incentives like their larger competition, which could increase the incentive for a seasonal worker to take advantage of their trusted position.

cyber_9.jpg

BEST PRACTICES FOR DATA SECURITY IN HOSPITALITY

Always encrypt payment card data

Encrypting sensitive payment data ensures that only properly trained and trusted employees will be able to access and view customer payment information via their passwords or access certifications.

Maintain a well-trained workforce

Instituting more comprehensive employee training for all staff has shown to be increasingly necessary to ensuring data security. Clear and strict policies regarding the disposal of sensitive physical documents and wiping clean electronic records is critical for all hospitality companies.

Training your staff to identify potential threats is another vital step toward ensuring your company’s data is secure. Educating staff on basic methods of how hackers obtain information will increase the security of your company as a whole.

cyber_8.jpg

Cyber-Security Measures

Firewalling, network monitoring, anti-malware and traffic filtering all help against common security threats. Having all measures within one system increases your production and improves company security. One such all-encompassing system is provided by Booking Ninjas.

Test your Cyber-Security

Conducting ‘in-house’ tests of your organization’s cyber-security defenses ensures that the protection you have in place is functioning properly. Mirroring the behavior of an actual hacker to test the response from your cyber security is a necessary and intelligent precautionary measure.

Hiring a cyber security audit firm guarantees expert hacker simulation to ensure your system is up to the most rigorous of attacks.

Limit Employee Access to Data

Not everyone needs access to all information. Enforcing the principle of hierarchy, chain-of-command, access codes, passwords and electronic access badges limit who has access to sensitive information. This helps your company to ensure only the most trusted, reliable and well-trained staff members are in charge of handling sensitive data.

WHO CAN YOU TRUST WITH YOUR CYBER SECURITY?

Understanding the risks of data security and implementing safety measures for mitigating these risks are necessary steps for all organizations operating in the hospitality industry. But neither guarantees your protection or that of your customers from cyber attacks and data breaches.

For any hospitality business preparing to implement a cyber security system, there are important factors to consider. Chief among them are geographic screening, financial diligence and IT architecture.

The top priority for any hotel or hospitality business when it comes to limiting cyber risk is to be meticulous in your selection of a cyber security provider. No matter how comprehensive a cyber security software may be, or what guarantees they offer, the responsibility of protecting customer data in the hospitality industry ultimately ends up at the feet of the hospitality business itself. That’s why choosing the right security software is vital.

BOOKING NINJAS PMS SYSTEM: Limiting risks with Salesforce platform’s added security

One all-encompassing and efficient step toward ensuring more data security is implementing Booking Ninja’s Salesforce platform with added security. As an expert property management system, it is the business of Booking Ninjas to create comprehensive tools that integrate all sectors of hospitality businesses. When it comes to data security, Booking Ninjas combines advanced, built in protections with multiple layers and levels of options and preference settings to customize a company’s responses to all data security issues. Booking Ninjas has you covered for every possible breaching event.

With the California Consumer Privacy Act (CCPA) signed into law at the start of 2020, the act now works alongside an already existing regulation, the General Data Protection Regulation (GDPR) to ensure businesses follow the data security and handling guidelines. Out of ignorance and because the CCPA is new this year, many companies have yet to begin following these rules and regulations, which puts them at risk for fines and other compliance issues. Booking Ninjas and the Salesforce platform’s added security are in full-compliance with CCPA and GDPR regulations, so you can rest assured your security measures will be upholding the most up-to-date letter of the law.

Booking Ninjas’ pms solution protects your organization’s data from any and all outsiders by using unique identifiers, which are constantly changing because they are based on each user’s sessions. When you log-In, specific identifiers based on your company and your position are customized to you, which ensures you possess the knowledge and skill set of the person you claim to be.

Salesforce is hosted exclusively in secure server environments that use firewalling and other advanced technology to prevent interference or access from outside intruders.

Transport Layer Security (TLS)

Salesforce uses some of the best security technology available in the world. You must use a Salesforce-supported browser just to access the system. From there, TLS protects your data using both server authentication and classic encryption, ensuring your information is safe, secure, and available only to registered users within the organization.

Protect Your Salesforce Data

Once you’ve installed your Booking Ninjas pms solution, it’s important to carefully select the security settings that will keep your data as safe as possible, while still allowing you to maintain efficiency within the program for maximum benefit. You want to be able to protect your company’s data from unauthorized access outside of the company, yet also safeguard against inappropriate usage from your own internal users as well.

LAYERS OF SECURITY

Protecting your company’s information is a job best handled in collaboration between you and Salesforce. Security features enable maximum efficiency for your team by not getting in the way, yet still providing necessary protection.

Your Security Team

As your team’s Salesforce administrator, you are automatically a part of the company’s security team. Security is the foundation of the entire Salesforce service. Besides protecting your data and applications, Salesforce allows you to build a security scheme tailor-made to your company’s needs. By selecting which employees have access to data, Salesforce and Booking Ninjas give you the ability to keep track of your user’s activity within the system and to make sure the right users can work on the right data.

Let the right users in

One vital element of the Salesforce security system is requiring a second-level of authentication when users log-in. Users either respond to a Salesforce authenticator notice from their mobile app or they enter an access code sent to their phone via text or email. This ensures the user’s account is protected, even if a user’s credentials have been compromised.

Two Kinds of Authentication

The ‘Salesforce-Authenticator’ makes it easy to set up two-factor authentication. It is easily configured with step-by-step instruction by simply going to ‘setup.’ You can also specify which users require ‘two-factor-authentication.’ This is helpful and recommended for users with access to more sensitive data. Meanwhile, not requiring it for all users without access to data increases efficiency and convenience for more basic salesforce users.

Restricting IP Addresses available for User-Log-In

Salesforce login can be limited to addresses exclusively belonging to your company. Anyone attempting to login from an outside address can’t access the login page. This ensures that even if a hacker accesses the necessary login credentials, they cannot use them outside of your corporate network. Trusted IP addresses can be set up for the whole organization or for specific user profiles.

Deactivating Ex-Users

Salesforce users change constantly due to a variety of factors in a workplace that changes faster than ever before. With employees leaving their companies or shifting positions regularly, new users are being added on a daily basis. By controlling your own security, when a user no longer works for your company, they can be quickly and simply deactivated within minutes. Their Salesforce credentials become permanently disabled and new ones must be granted if they return to work again.

LIMIT WHAT USERS CAN DO

Within the Salesforce security platform, there are multiple levels of access that can be specified to determine who can do and see what. Different areas of the company can be configured individually for maximum efficiency.

What Can They Do?

Access to different resources can be limited at your discretion based on a level of security clearance, which is determined by user authentication at the time of their login. You have the option to set up a “standard” or “high assurance” level of security, which dictates what specified resources are available to users with certain levels of security clearance.

What Have They Done?

Field Audit Trail allows you specific preferences to determine how long archived field history data can be kept. You’re capable of securing up to 10 years of activity without field history tracking. This feature is extremely valuable because it maximizes efficiency and security should the need to comply with industry regulations for audits become necessary. Tracking of all setup changes by you and all other users are an included function. Audit history is vital for businesses with multiple users.

MORE SECURITY OPTIONS

Encrypt Your Data

Booking Ninjas’ pms solution makes use of Salesforce’s ‘Platform-Encryption’, which adds a new layer of security for your data while maintaining user functionality. It uses a unique advanced key derivation system to select data that can be encrypted at rest. This protects your information more than ever before, while still complying with privacy policies, contractual obligations and regulatory requirements, which is necessary when it comes to handling private information. ‘Platform-Encryption’ is included with a package of advanced add-on security features called ‘Salesforce Shield.’

Trigger Automatic Actions on Security Events

You may want to specify actions to be taken when security events occur, such as notifications, blocks, or requiring two-factor authentication. You can also set security policies where a session simply ends if a breaching action is attempted. These actions are called ‘Transaction Security policies’ and are also included as part of the ‘Salesforce Shield’ package.

Monitor Events in Your Organization

‘Event Monitoring’ allows you to access event log files to keep track of user activity. This feature can be integrated with other data analysis tools. It is also a part of the ‘Salesforce Shield’ package.

CONCLUSIONS ABOUT IMPLEMENTING DATA SECURITY WITH SOFTWARE

Data security has become a primary consideration across the hospitality industry. A big reason for that is the fact that there are no guaranteed methods for stopping data breaches. A company can only do their research, educate their staff and implement the security systems that they deem best suited to them. Customizing your implementation of security decreases the chances of compromised data and reduces the amount of data loss in the event of a security breach.

Based on my research, the Salesforce platform with added security from the Booking Ninjas pms checks all the boxes when you consider the previously laid out concerns and considerations from the first half of the blog. The platform is compliant with all of the latest legislation, falls under U.S. jurisdiction, and is designed specifically for hospitality businesses. Providing quality training to your team on how to best use Salesforce builds a unified front for keeping data safe. It’s really just a matter of providing quality training to your staff to ensure the platform operates at maximum efficiency.

Interested in learning more about our pms software? Take a look at our implementation process or simply schedule a brief 10 minute intro call.