Data Defense

To safeguard sensitive information, move security to the front line.

by Tom Dulaney (editor@clubandresortbusiness.com)
January 2007
 

In 1777, British soldiers chased George Washington’s Revolutionary War patriots across the grounds of what is now the Whitford Country Club in Exton, Pa. (suburban Philadelphia). At that time, security threats were resolved with muskets and cannons.

Now, security problems on the property are a lot less bloody, but much less straightforward. Along with budgets, staff issues, catering, the pro shop, and other member needs, the General Manager of the 50-year-old club, Ronald Rottmann, has to worry about identity theft and club data security.

Terry Price, Executive IT Manager at The Grove Park Inn Resort & Spa, conducts “I.T. Boot Camps” to drill the importance of information security into “recruits.”

“It’s a crime what we have to do to protect our information and technology,” says Rottmann, who doesn’t relish the added security burden.

But whether any manager likes it or not, electronic security has put itself on the front line. To drive home that point, Terry Price dons a set of army fatigues for the “I.T. Boot Camps” he conducts for club and resort professionals.

Price is Executive IT Manager at The Grove Park Inn Resort & Spa in Asheville, N.C., where he commands a staff of five information technology professionals. And as secretary of the Hospitality Financial & Technology Professionals, he is galled by the constraints the “bad guys” of technology now put on good people in his industry.

“A lot of people come to work and are going backwards in technology,” he explains. “We have to be so security-conscious that we can’t yet allow employees to even use the new technologies they have on their home computers.”

For example, Price notes, Instant Messaging (IM) has become a familiar tool for the employee at home. But in the workplace, he says, “IM presents a lot of dangerous issues. We can’t allow it now because it opens portals” to the hackers, phishers, spammers and other nefarious types now roaming the interconnected world.

“That’s the challenge we have to deal with for the future,” Price continues. “How do we make the new tools available safely?”

Goes With the Territory
Like many of his industry colleagues, Ronald Rottmann is well aware that Price is right: Today’s club and resort managers have no choice but to become vigilant in protecting their properties, members and guests from data thieves.

Whitford Country Club has some 500 dues-paying members, plus their spouses and children. With a year’s backlog on its golf membership waiting list, the club is a picture of prosperity—but as a result, also an inviting target.

While he has become well-versed in the techniques that Price drills into all of his “recruits,” Rottmann is wisely not overconfident. “We want to make sure we’re secure,” he says. “But you never know what new exposures will open up.”

Both Rottman and Price follow the same basic defense strategy: Secure the perimeter (see sidebar) and fortify the softest spots in your line—PC workstations. “The PC is the most vulnerable device on your network,” Price warns. “Sadly, it’s also the most ignored for safeguarding.”

E-mail and Web surfing for work-related projects are the areas most open to attack. To close ranks, Price and Rottman both make sure their employees adhere strictly to these “best practices”:
b Do not open suspicious e-mail. It’s the entry point for viruses and a variety of spyware, adware, and the like. Price recommends turning off the “preview pane” in e-mail programs that automatically shows content. “When the pane is open, the e-mail is opened,” he explains. He also insists that employees adhere to a first-step routine of deleting as many e-mails as possible based on the incoming subject and sender lines, no matter how tempting or urgent some new messages may appear.

Grove Park Inn Resort & Spa (top) now has six IT professionals to secure all data needed to run the 120-acre property.

• Keep passwords secure. Rottmann urges his employees to change their passwords frequently—at least quarterly. Further, passwords should not be words or numbers that can be easily decoded by hackers. Avoid using names of spouses, kids or pets, and never use even just a part of a Social Security number.

On the low-tech side, make sure no one writes password or ID information on desk blotters or anywhere else at a work station where it can easily be seen or found. The wandering eyes of even the most fleeting of office visitors (delivery personnel, those inquiring about “jobs,” etc.) can quickly capture and take away unprotected information, so it can be used to log in as an “employee” from outside the property

• Limit access. At Whitford CC, while all members of the 12-person club staff can access the club network, internal blocks keep the wrong employees from looking at member records or the club’s profit and loss statements.

“I myself cannot access the financial data at Whitford—that is the province of the controller,” says Rottman. When he needs numbers, he goes to the controller to get them.

Further, Whitford’s financial and internal data is completely inaccessible to anyone who is not plugged into its network via a hard wire. And the public side of the club’s system—its Web site for members and the general public—won’t take anybody into the inner ring of sensitive data. These precautions highlight a key point that Price drills into his “recruits”: Employees should not be allowed to bring laptops to work. If they do, they could tap into internal networks.

Extending the Battle Lines
Other potential soft spots that can’t be overlooked, says Terry Price, include these now-common parts of any computer support system:

• The Network Switch or Hub. This is the device that links all IT tools on a property. It must also be set up with need-to-know access on an employee-by-employee basis. While it’s not very susceptible to outside attacks, Price notes, controlling who sees what is vital.

• Servers. These “super PCs” with specialized operating software are the central location for all of a facility’s data. They are less vulnerable than PCs, Price says, because they don’t have people working directly on them. But they still require protection, provided through professional help.

• Firewalls. These electronic barriers to intruders protect the server and its wealth of valuable information. Club managers need to find IT professionals (on staff or through contracts) who can regularly search for, and plug, firewall holes.
The other key side of information security is member and guest access to their accounts and general information about a property. At Whitford CC, like most clubs today, members can now go online to view bills, check account status, and reserve tee or dining times.

As the club industry has moved into the information age, many managers have been hesitant to remind members, as they do employees, about the need to keep passwords opaque and private. But Rottmann says this should be an equal priority. “If people can afford membership at a private club, they are most likely aware of IT security practices from their own workplaces,” he notes.

Whitford currently offers wireless access within its main building, and Rottman is planning to expand this feature throughout the entire facility—from every tee, fairway and green to the swimming pool and tennis areas. When this happens, he assures, “It will all be password-protected—and it still won’t allow entry into the internal corporate system.”

Securing the Perimeter: The Key Threats to Information Security • Viruses. Anti-virus software is a must, says Terry Price, Executive IT Manager at The Grove Park Inn Resort & Spa, Asheville, N.C. “If it’s not updated every week, you are way behind,” Price warns. • Spam and Phishing. Good e-mail habits, plus spam filters, can stem the flood of unwanted e-mail, much of which can be infected with viruses or disguised as legitimate communication that’s designed to obtain account information. • Spyware and Adware. A recent study found that about 20 percent of visited Web sites are contagious carriers of these malicious programs, which can also invade the computer through e-mail. Anti-spyware and adware programs are a must. • External Hackers. Hackers can be anyone from the teenager next door to terrorists bent on extortion. Good firewalls, and shutting down unnecessary access ports in the system, are the best way to thwart most hackers. • Internal hackers. Managers should monitor use of a computer network to make sure employees aren’t visiting areas they shouldn’t. Terminated employees’ access to the system must also be terminated—immediately. —TD