What is the global trend for the hotel industry to outsource IT security? I.e general trend or different from region to region? Who’s leading, who’s lagging behind?
Speaking generally, IT services that are outsourced often carry a portion of security-related activities such as security patch management and firewall administration. IT security, however, is much more comprehensive than patch management and firewall administration so the likelihood is that hotels are going to move towards more robust outsourced security services.
How does the Middle East hotel industry compare? Again, any countries, groups leading or lagging? What is the general trend? Are hotels outsourcing IT security, trying to do it in-house, or not doing it at all?
The most significant difference I have seen within the Middle East is poor security practices when it comes to handling customer sensitive information. As an example, it is common practice for hotels in the region to require full credit card information, to include scanned copies of the front and back of the card, for restaurant reservations. This information is requested to be sent via unsecured e-mail and if you choose not to provide it due to security reasons you receive the following response, "Kindly be advised that we are no longer holding the below reservation for you. It is policy that we take credit card details."
Guidance regarding what customer information should and should not be stored by a third-party such as a hotel is outlined in Payment Card Industry (PCI) Data Security Standards (DSS), commonly known as PCI DSS. The PCI DSS standards stipulate the following information can be stored for the purposes of complying with PCI DSS:
However it should be kept in mind that though a third-party may be permitted to store this information, it needs to be "protected" by ensuring the PAN is rendered unreadable, by methods such as encryption, hashing or truncating.
Requiring a scanned copy of the back side of your credit card, which contains the Card Identification Number (CID), is a poor security practice.
What are the benefits of outsourcing IT security – any aspects in particular?
The benefit for hoteliers to outsource cyber security services allows for experts in the field to monitor and respond to cyber security related incidents. Cyber security experts can provide advice and recommendations on how to best protect sensitive customer data, reduce the risk of cyber security incidents impacting business operations, and provide continuous monitoring services. Another benefit is access to cyber threat intelligence that can help to prevent and predict cyber-attacks. IT security firms have access to cyber threat intelligence from multiple sources and that information can benefit others as a way to implementing mitigation strategies prior to an attack.
What role does your company play in conducting IT security functions and services for the hotel industry?
DarkMatter has the experience of responding to cyber breaches within the hotel industry, conducting root cause analysis of the breach, undertaking forensic analysis and damage assessment to determine the scope of the compromise. DarkMatter experts have also assisted hotels in removing the malicious software, designing security infrastructures, conducting compromise assessments, conducting vulnerability assessments, developing continuous monitoring programmes, and providing cyber security consulting services.