When to outsource cyber securi

When to outsource cyber security in the hospitality sector

Speaking generally, IT services that are outsourced often carry a portion of security-related activities such as security patch management and firewall administration. IT security, however, is much more comprehensive than patch management and firewall administration so the likelihood is that hotels are going to move towards more robust outsourced security services.

A significant difference within the Middle East with respect to cyber security approaches in the hospitality industry is poor security practices when it comes to handling customer sensitive information.  As an example, it is common practice for hotels in the region to require full credit card information, to include scanned copies of the front and back of the card, for restaurant reservations.  This information is requested to be sent via unsecured e-mail and if you choose not to provide it due to security reasons you receive the following response, “Kindly be advised that we are no longer holding the below reservation for you.  It is policy that we take credit card details.” 

Guidance regarding what customer information should and should not be stored by a third-party such as a hotel is outlined in Payment Card Industry (PCI) Data Security Standards (DSS), commonly known as PCI DSS. The PCI DSS standards stipulate the following information can be stored for the purposes of complying with PCI DSS:

  • The Primary Account Number (PAN)
  • Cardholder Name
  • Service Code
  • Expiration Date

However it should be kept in mind that though a third-party may be permitted to store this information, it needs to be “protected” by ensuring the PAN is rendered unreadable, by methods such as encryption, hashing or truncating.

Requiring a scanned copy of the back side of your credit card, which contains the Card Identification Number (CID), is a poor security practice.

Thus the benefit for hoteliers to outsource cyber security services allows for experts in the field to monitor and respond to cyber security related incidents.  Cyber security experts can provide advice and recommendations on how to best protect sensitive customer data, reduce the risk of cyber security incidents impacting business operations, and provide continuous monitoring services.  Another benefit is access to cyber threat intelligence that can help to prevent and predict cyber-attacks.  IT security firms have access to cyber threat intelligence from multiple sources and that information can benefit others as a way to implementing mitigation strategies prior to an attack.

DarkMatter has the experience of responding to cyber breaches within the hotel industry, conducting root cause analysis of the breach, undertaking forensic analysis and damage assessment to determine the scope of the compromise. DarkMatter experts have also assisted hotels in removing the malicious software, designing security infrastructures, conducting compromise assessments, conducting vulnerability assessments, developing continuous monitoring programmes, and providing cyber security consulting services.