DLP in hospitality – a success story at the Mandarin Oriental Hotel, Bangkok
The quality of the services and safety are extremely important in the hospitality industry. Hotels do not only have to ensure their guests feel welcomed and comfortable but also safe and safety goes further than safe deposit boxes for valuable assets or money that most hotels provide in each room. Hotels are obliged to protect their customers’ data against data leakage, theft or loss and to secure it against cyber attacks. People usually are not aware of this, but hotels hold a lot of private records, like credit card numbers, e-mail addresses, company data, for business travelers, ID numbers, and other sensitive data. I was never curious how hotels protect or what they do with my personal details, but that’s something that each of us should investigate. You wouldn’t want your vacation to turn into a disaster because the hotel where you are staying suffered a breach and you have to block your credit card to avoid any incident or worse, your credit card was “cleaned” and you have to spend your vacation making phone calls to your bank.
At a first glance, POS systems are the number one target and the primary source of data breaches. Hilton, Hyatt Hotel, Trump Hotel Collection are some of the hotels that suffered a data breach through malware infection of the POS and other payment systems. Data security solutions to address external attacks are the first layer, however, like in any organization, to make sure all possible leakage points are covered, insider threats should also be considered.
Mandarin Oriental Hotel’s high standards impose also strong data security
Mandarin Oriental Hotel is the award-winning owner and operator of some of the most luxurious hotels, resorts and residences located in prime destinations around the world. In Bangkok, the group has a truly remarkable five-star hotel that managed to become a top destination through contemporary, classic yet cutting-edge, unique blend of luxury and comfort. It was named “Best City Hotel in Asia” and one of the “Top 20 Hotels Worldwide” in 2009, among other distinctions.
To ensure quality and professionalism prevail in all their business aspects, the IT department wanted to monitor and control employees from reception, marketing department, HR department, and others, who handle critical data and transfer it for job purposes on portable storage devices. Besides having a clear idea on what devices are being used and by whom, the IT Manager also wanted to have insights into what files are being copied and transferred to removable devices. The solution to fit their requirements was Endpoint Protector 4, with the Device Control module. File Tracing and File Shadowing, for data tracking and copies, were the preferred features because of the great details they provide.
“We like Endpoint Protector 4 because it gives us the possibility to identify portable storage devices connected to the network and to restrict the transfer of information. Endpoint Protector offers granular control over portable media, with policies for devices, computers, users, groups and even custom classes,” said the IT Manager of the Mandarin Oriental, Bangkok.
Other important aspects that were valued and determined the IT Manager to implement Endpoint Protector 4 are:
• Ease of installation and use
• Support and updates
• Availability of staff when calling or asking for assistance
• Competitive pricing
You can read the full case study on our website.
Hospitality data security compliance, rules and regulation
Mandarin Oriental Hotel is clearly a great example to follow in both accommodation services and data security. When it comes to data security, there are a few compliance requirements for the hospitality industry. If you are part of this industry, below are three things to consider.
1. PCI compliance.
PCI compliance for the hospitality industry is different than for other industries, if not for anything else, simply because of the sheer number of data security incidents. This could be caused by some of the myths which are popular in the industry, such as “the franchise handles compliance”. The fact of the matter is that each hospitality entity must be certified independently, systems are not secured by default and masking numbers (hiding all the digits except the last four) is just a small step in being compliant.
2. Make security part of your DNA.
If you run a hotel, there may be reasons to think having a dedicated IT Admin is not someone you need on the permanent employee list. However, once compliance is met, it’s a constant effort to stay compliant. Since data security is a demanding job, having an IT specialist on board is a must. This is particularly challenging as hotels from the same chain could have different websites and databases while restaurants and spas could be operating separately as well. On top of this, we’re talking about multiple locations, making this even more complicated.
3. Think Security, not Compliance.
From the point made above, when it comes to data security, a forward thinking person is a must. Compliance is one thing, but a good security policy can make sure you’ll be compliant with upcoming rules and regulations, as well as adapted to changes in the technology field. Let’s take the mobile devices we all have in our pockets for some years now. Correlated with technologies like beacons, they’re going to be common items in hotels. Beacons will definitely help the hospitality industry to offer better services but security needs to be considered even before compliance, rules and regulations are mandatory. If the beacons example is a bit too far from your current situation, what about laptops and computers? Are you protecting just Windows computers or also Macs? Are you taking into consideration the fast rise of Linux computers? What about employees’ mobile devices? Are you also considering MDM as part of your security?
Securing data in the hospitality industry is as tough as in other industries. The complexity of the network, with different payments systems, a great amount of collected data, many collaborators that also hold customers’ sensitive data, like Booking.com or other booking websites, and many services that involve payments, like spas, restaurants, bars, etc. are all factors that drive an increased risk of data loss. Mandarin Oriental Hotel from Bangkok has taken a step forward in ramping up their data loss prevention setup and sets an example for continuous improvement and responsibility for the privacy of customer and employees’ data as well as their know-how.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.