Keeping the Hackers at Bay

As Web site applications grow, so does the vulnerability of sensitive information. Tighter policies, outside expertise and innovative technologies can help establish needed layers of protection.

by Vince Guerrieri (editor@clubandresortbusiness.com)
January 2008
 

Founded by the U.S. Congress, members of Congressional (pictured below) have included Senators and Presidents. It’s become the first country club to have a full-time director of security, says Jay Marx, Director of Information Technology.
“It is a huge priority,” Marx says of security at the club. “We do have a heightened awareness.”

But while most club managers won’t have to worry about the President playing a round, more and more have come to share the same concerns as Marx, as they have grown to use, and rely on, their Web sites as more than just marketing tools.

Many properties now use their sites as portals for members to book tee times, make dinner reservations and pay bills.
As more people use the sites for more reasons, clubs are looking for smarter and more effective ways to keep all of the information that is passed secure. In many instances, this means trusting their members’ personal information to outside expertise—something clubs are reluctant to do.

“It’s a relatively new market,” said Rachel Payne Morrow, Director of Marketing for Greensboro (N.C.) Country Club. “If you want to have an effective Web site, you have to rely on outside sources to protect your club and your club membership.”
But the president of one software company that markets an online dining and event reservation program feels many clubs aren’t ready to take the leap of faith needed to entrust their members’ information to a third party. Instead, they still feel—foolishly, in his view—that the information would be safer in their own hands.

“That is patently false,” the software executive believes. “The average club does not have a significant IT presence. Their security, both physical and technological, is full of gaps.”

More Than Just Data at Risk
Bill Sullivan, a Professor of Hotel, Restaurant and Institutional Manage-ment at the University of Delaware, and a former manager at the DuPont Country Club in Wilmington, Del., feels that clubs not only run the risk of making their data more vulnerable when trying to do everything themselves, but that they also stand to incur significantly higher costs and impose unnecessary time and management burdens on their staff.

While an individually-designed, Web-accessible system can cost between $20,000 and $30,000 and require several months to implement, Sullivan says, buying a prepackaged system can cost as little as $3,000 to $5,000, and be up and running in a month or two.

The company installing the system would load the member list and create user names and passwords, Sullivan says. And when a club goes with an online program, he adds, it gets tech support—something it might not have when going it alone.
“Most clubs don’t have a technology person, so to buy this type of technology is very helpful,” notes Sullivan, who also hosts technology “boot camps” at conventions of the Hospi-tality Financial and Technology Professionals association.
The Yale Club in New York City went live on New Year’s Day 2007 with a new virtual program. With its new Web site, reports Nadeem Rehman, IT supervisor, each of the club’s 12,000 members now has a personal Web page where he or she can check events, do online bookings, view his or her account history for up to a year, and pay quarterly dues online.
Rehman says the club plans to expand what a customer can do on the site, extending it to be able to handle more detailed dinner and room reservations.

The club saw the value the first time bills came due, Rehman says, as staff workloads dropped significantly. “It eases our job enormously,” he says.

Getting Paid Without Getting Burned
Security becomes especially critical as more clubs look to Web technology for bill-paying options. “It certainly has not taken over the market yet, but it’s gaining importance,” says an industry expert.

Even at a security-sensitive property like Congressional, Marx reports, a bill-paying option has been added, in response to customer demand.

“Previously, we didn’t accept credit card payments, because of the costs that were imposed and passed on,” he says. “But we now have members who are actually asking for that.”

And with financial information being passed through the Internet, there’s much more at stake to keep it safe. While there aren’t too many cyber-thieves who care about a member’s handicap, the knowledge that credit card numbers of affluent memberships may be floating around in cyberspace clearly rings the dinner bell.

In response, many clubs are turning to packaged software that can offer better data protection, or outside services that make use of date hosting centers. “Those centers have every conceivable security safeguard,” says a software company executive. “If you’re dealing with a reputable company, your data is safer than it is in the club.”

Additionally, many programs offer encryption for financial information like credit card or bank account numbers. “I think that’s typical,” says Sullivan. The encrypted information is typically stored in a financial facility that has elaborate firewalls, and offers a much safer place to store data than in a club office.

Additionally, by storing information offsite, anyone who might break into a club can’t then access data through a club’s computer system, which tends not to be encrypted or password-protected (or if it is, can be more easily hacked).

Matter of Policy
But even clubs that don’t transact financial business online can house sensitive information—and still run the risk of getting hacked. Marx remembers a case that surfaced about six years ago when someone—possibly in collusion with a club member—got a club’s membership list and used it to send out a solicitation for some land purchases in Florida.
To that end, many courses and clubs are now adopting very specific online policies, usually with the help of their attorneys. Many of them center on who will have access to what information, which usually includes club officials and, in the case of the Grizzly Ranch in Portola, Calif., other third parties as needed.

However, many of the instances cited by the Grizzly Ranch web policy for third parties involve legal issues, to settle a dispute or when compelled by a subpoena.

And Rob Young, Director of Sales and Marketing for the club, says that information is given out only when necessary—and never sold.

“That’s company policy not to sell any information we receive,” he says.

The redesigned Grizzly Ranch Web site (www.grizzlyranch.com) was unveiled in August, Young says, to overwhelmingly positive reviews. Part of the motivation for a redesign was as a branding campaign. “We wanted to make sure there’s a consistent look through all the marketing and sales material, and that it was consistent with the Web site,” he says.
But another reason was to implement member/owner access, so customers can now get online to book tee times or make reservations. There is no online billing at Grizzly Ranch, Young says.

At Greensboro CC, Rachel Payne Morrow says that as Web site usage has gone up, the club still takes time to continually reassure members that their information is safe. “There’s a lot of due diligence done,” she says.