Network security company Internet Security Systems has just issued a report stating that "security events" - an "event" being anything from a computer virus to a major attack on a computer network - increased by more than 80% in the first quarter of this year compared with the previous three months. It's alarming reading for anyone who owns a computer, let alone companies that base their business on them. But what measures are companies taking to protect the important data stored on their computers?
According to Daniel Felstead, director of security consultants Amicus Mentor France, the hospitality industry is as vulnerable as any other business when it comes to data security. "In terms of electronic attacks, the threat to hotels from hackers, disgruntled employees and so on is the same as any other commercial operation. The movements of an individual, who they meet, spending patterns and who they are communicating with could all be attractive to third parties for a variety of reasons," he says. "Consequently, a high level of discreet and effective security is required in order to protect guests without hindering their lifestyles."
But where do these threats come from? The best-known are viruses and worms that can destroy data on your computer network and, of course, hackers. Thankfully, the Hollywood-style hacker is rare, but there are others who use software to "probe" a network to see if they can get in. There is also another potential threat to your data: an employee. As Lee Cox, director of IT consultancy Sol-Tec, comments, employees should be included in any data security policy.
"Research has shown the greatest threat to a business's security is from its own staff. Some businesses forget to ensure that policy and procedures are set up to protect against potential threats such as e-mail viruses, internet misuse and mishandling of personal and private data, which can all lead to an attack on the company's security, not to mention a mark on its reputation."
The knack is to be able to protect your data without alienating your staff or making life difficult for your guests. Cox says that if hotel office staff use an internet connection, the filtering of inbound traffic to the internal office network from the public internet is a basic security requirement. However, he warns, if the hotel uses public internet service terminals or some other type of device that gives hotel residents access to voice, video or data services (like internet protocol telephony phones or PCs), it should be defined as a separate security domain and separated from the office network.
But what if your guests have access to the internet? "This can be carried out by using a separate security domain if there is a separate internet connection facility, or by using another port on the firewall [a piece of hardware and/or software used to protect your network from attack] on the main internet connection," Cox explains.
You also need to know your enemy - and that comes from an internal security audit. According to Felstead, such an audit identifies and assesses the risks, both actual and perceived, and allows preventive and response action to be formulated. "The audit is an ongoing process and should be undertaken biannually or following significant political, social or environmental change likely to affect security."
Cox adds that people also need to be audited as well. "It is also important to make an audit of each user's authorisation and privilege level so confidentiality of business information is secured and maintained. If this policy is adhered to, then security risks will be greatly reduced."
Computer and internet use policies have become popular with other industries. Many such policies are written into the employment contract of the employee, and it would be wise to seek legal advice on this subject. There is other legislation that covers data and information security, including the Data Protection Act. The act requires you to provide adequate protection for data you hold on your computers. Every situation is different, and it's vital to get appropriate legal advice, as there are several laws that cover computer use that may be relevant to your situation.
As technology moves so quickly, planning is vital and means looking at the bigger picture. "Given the rapid pace of developments in technology, it's essential that new or refurbished buildings are designed to manage change with minimal future cost and disruption," Felstead points out. "It is generally considered that security and communication technology changes are needed every five years or so."
Whatever your situation, data security is a complex issue, and if you're at all unsure about whether your security is up the job, talk to a computer- or data-security consultancy.
The potential for disruption, both to your own system and possibly your guests' laptops, is frightening if you are successfully attacked. But it can be even more worrying if you find your commercial insurance doesn't cover you. At the very least, make sure that you're covered.
The cost of protection
Data security comes at a price. Sol-Tec's Lee Cox has put together some rough figures of the costs in two important areas:
* Firewall devices differ both in specification and cost and should be purchased based on internet connection access speed. As a benchmark, in order to protect a connection of less than 2Mbps, it usually costs less than £4,000 including installation engineer charges.
\* Anti-virus protection is equally important. The cost of implementing and maintaining an effective anti-virus solution is again case-specific, but for a base of 20 clients and a single mail gateway it would cost about £2,000 including installation engineer costs.
Jim Smith, general manager of the four-star, 129-bedroom Milton hotel in Glasgow, has plenty of experience with data security. In 1997 a virus got in to his computer system.
"We had a small outbreak caused by a student employee who was employed to carry out a room audit. The student had brought her own disks, which she had obtained through her university. In the event, it was a Microsoft Word macro virus that was more of an inconvenience than a real threat, but it did highlight the problems that a more malicious virus could have caused."
The hotel now has several security measures in place, with virus protection being high on the list of priorities. "We have implemented virus protection on all servers and desktops," says Smith. "Our gateway server has e-mail filtering for all inbound and outbound e-mail. We also scan all Web and all internet traffic at our firewall. Our virus definitions are updated twice daily and we scan our exchange servers daily for any additional virus risks."
This has already brought more security to the hotel's system, as it normally detects and quarantines about 20-30 e-mail-borne viruses at its network perimeter daily.
Staff are also made part of the data security measures via employment contracts. "Our staff policy for data security is part of the employees' employment contract in the form of an e-mail and internet use policy document that they have to sign before e-mail and internet accounts are set up for them."
So far, the cost for computer and internet security has been just short of £12,000.
Amicus Mentor France
Tel: 00 33 4 93 94 16 79
Tel: 0118 948 2848