In your hotel, your team members are, without a doubt, the main actors in preventing, detecting and mitigating risks and threats . A safe environment, whether physical or digital, depends primarily on people and their ability to prevent, detect and react to potential security risks. In the case of computer security, the capabilities that your team possesses are of particular importance as the areas of knowledge are very broad and constantly evolving, with the ability to teach, train and train employees of your hotel unit being crucial for a safe environment. .

Not wanting, as I already promised, to keep these articles at the level of theory, I will present a practical example where the ability to prevent, detect and react are decisive.

PEN DRIVES, USB PORTS AND THE HOTEL’S WEBCENTER

Perhaps due to a professional error, whenever I stay in a hotel, I do a simple test of the ability to prevent and detect that the hotel has: at reception I ask for the special favor of printing my plane ticket which is on my Pen Drive which I deliver promptly.

PERCEIVE THE THREAT

With this seemingly simple decision, you may be allowing:

• The network is monitored in order to find vulnerabilities and relevant information;
• Information can be collected about usernames and passwords used in any hotel operation system and beyond;
• Giving access to sensitive information about your business or your guests;
• Allow the hijacking of equipment, systems and your unit.

Allowing the connection of a Pen Drive to a device means running a high risk of, in a few seconds, passing a varied set of malware onto your system, thus opening the door to a wide range of threats, namely those that allow you to open the door to your systems, data and activity to cybercriminals.

HOW TO ACT

There are several possibilities here, which can be applied according to the reality of your hotel unit.

ANTIVIRUS

All equipment must have a professional antivirus solution installed and updated. Most professional solutions on the market have the ability to detect known threats, thus allowing you to establish a first line of defense.

SECURITY POLICY

Have a defined security policy that establishes a clear procedure for these situations . Nowadays it is common to get one of the following answers:

• “ It is not possible for us to connect Pen Drives to the system, but if you can send them by email we will print them ” – So, even if there are USB ports on the equipment, the team knows the risks and knows how to act, and if you have an antivirus this will do its part in detecting any threat when receiving the email.
• “ It is not possible for us to connect Pen Drives to the system, but you can go to our webcenter and connect your Pen to one of the devices and print ” – In this case, we are transferring the risk to the guest, and it is up to them to decision whether or not to connect the Pen Drive to one of the available equipment, and in relation to hotel web centers there are still other IT security measures to be applied as they are a true nest of malware .

SECURITY MEASURES

There is the possibility of configuring and applying some relatively simple security measures to your computer systems, allowing you to reduce the risks associated with connecting external USB devices. Therefore, you can ask your IT department to disable the possibility of using the USB ports of certain (or even all) equipment, thus adding a layer that effectively prevents the policy from being overridden by the user's will. The application of this measure is also an additional security factor, as it prevents users from connecting USB devices (often personal) to equipment, thus contributing to reducing the internal threat. There are some documented cases where the attacker came from within the organization.

Regarding the webcenters used by guests, sometimes some of them do not have the best intentions and the truth is that we cannot control all aspects of their use, and it is very common to find malware installed on these devices. And obviously, if the guest is the victim, their level of experience and satisfaction will not be the best . There are, however, also some security measures that can be applied to this equipment, mitigating some situations. My favorite is the use of virtualization. This means that, in reality, the equipment is running a virtual machine, which behaves just like the normal solution, but every time the equipment is turned off it erases everything, returning to the initial state. Therefore, every time it is turned on, the equipment is clean of previous installations, usage history, saved files, among others. Although it is not a completely safe situation, it is still an excellent way to reduce some of the risks detected in web centers .

With this small example, I hope I have managed to raise awareness of the importance of preventing cyber threats as they can have consequences beyond those directly visible.

I can also add that detecting and reacting to threats is not just up to your antivirus, it is also up to the team, as nowadays with electronic locks or USB chargers for phones, these are also attackable and attack vectors .

Therefore, I suggest reading this article which presents a simple and cheap way to bypass locks, as well as this other article which presents some of the precautions to be taken when using USB wall chargers available in hotels, airports, airplanes, among others. If in the first case, manufacturers are responding and resolving the threat that has mainly to do with the physical security of accommodation and the possibility of use for robbery, the second, in addition to difficult detection, is today one of the most used vectors for theft of data.

Having said that, my dear cyber hotelier, don’t forget that “prevention is better than cure”! Start applying some simple measures and train your hotel cyber team to protect your unit.