Hospitality venue? Your business and customers ARE at risk from cybercrime!!
Cafes, restaurants, lodges, resorts, vineyards, retreats apartments; you need to read this article.
Since joining Islandtech I have visited several hospitality businesses large, medium and small and what I have found should be shared and acknowledged by you all.
Waiheke is a prestigious tourist destination and, quite rightly, you are all proud of your offerings which are probably the best in NZ, you certainly charge premium rates and as such your customers expect excellent service and security.
Does your comms area look something like this? If so then you aren’t offering your best service and are open to all sorts of scams, hacks and fraud, as are your guests.
Even if it doesn’t look like this it could be, and most likely is, not keeping you safe, nor your customers and doesn’t afford you the flexibility and control to maximise on your offerings and increase your guests’ experiences (more on added value of doing it properly a bit later in this article)
Let’s start with the risks, what are they?
Well, rather than going into technical details let’s just outline a few things that should make you sit up and consider what is lurking in your storeroom, under your sink, stuck in boxes on your exterior wall or just hanging around (often literally).
(For those other geeks or nerds out there please note that this has been written with non-technical minded people in mind and therefore may be inaccurate. However, where it is inaccurate it is definitively inaccurate. In the case of any major inaccuracy, it is always reality that has got it wrong and inaccuracies are intentional to make the narrative easier).
Some of the points worth noting:
· Potential sniffing of your business data via your guest network; company information and plans, banking details, customer records.
· Potential for fraud via scams or invasive software; you’ve opened your business to all and sundry.
· Your guests aren’t secure from each other, they can be sniffed., snooped, spoofed and so on.
· Your network controller (router) is open to anyone with the basic skills to access it.
· Denial of service risk, your network could be taken down by malicious users.
· Illegal internet usage: your ISP stores every site visited from your network and are obliged to hand this to the police if they detect a threat of illegal behaviour. If someone on your network accesses illegal porn or other nefarious sites there could be a knock on your door; have you done enough to dissuade or prevent this activity? Maybe you will be held responsible, and no one wants to see a headline such as “Waiheke Super Duper Apartments temporarily closed due to illegal Internet activity that can’t be adequately explained”.
Admittedly, it’s unlikely to happen to you but you are at risk. Most of the risks and instances of hacking are generally opportunistic, i.e., bored hackers who find a site with inadequate safeguards will jump in and cause problems for fun. If you have basic safeguards in place, then the above is far less likely to happen and hackers will generally not bother. N.B, even the most secure network security can prevent a determined hacker, if he really wants to get in, he will find a way, but that is unlikely in your business, it is most likely opportunistic or someone wanting your identity or banking details.
Network Separation
Did you know that your guests are on the same network as your internal business systems and point of sales systems?
“But we have separate wi-fi networks; ‘Guest’, ‘Internal’ and ‘POS’, surely we are safe?”.
Umm, nope, not necessarily; if you have the proper equipment and it has been properly installed and configured by professionals then yes, you will most likely be safe with separate networks. Otherwise, your Guests are sharing the same network as your banking, payments, drop box file shares and all personal and business data.
What you think you have, and indeed should have, sort of (remember the inaccuracy quotation) is the picture below which shows three separate networks each connecting to the Internet independently with no visibility or knowledge of each other.
Unfortunately, this isn’t the case, at least not the case in anywhere I have yet visited on Waiheke and only exists where I have rectified it. This is a slight over-simplification but illustrates what most of you think you have in your business.
What you really have is this (Below). You can see here that the networks (Guest, POS and Internal) are actually porous and the ‘no-entry’ signs don’t exist. What most people think of as a network in the terms of ‘Guest’, ‘POS’ etc. to which they connect via their Wi-Fi enabled device aren’t networks, they are more a sort of collection points for different usages, but they are all on the SAME network and can see each other.
An analogy might be an aeroplane flight (we might use this one again later in this article so please hold it in mind). You might have a boarding pass for economy, others might have passes for business class or first class; you are all on the same aeroplane and could, if push came to shove, or if you just really felt like it, move from class to class, see the other passengers, interact with them and so on. Right, there’s usually a curtain in between so that you can’t see the edible food that the better classes get rather than the muck we get in cattle class and in fairness that curtain in an aeroplane is providing those in the better classes of cabin more security than you are getting on the network example I gave above.
This means that your business in Internal is accessible to those in Guest as it is the same network, the SSID is simply a way of grouping people together. Also, your Guests can see each other, do you want your guests to feel secure in that when on your network they are safe and secure or do you want them to be in as much danger as an open public network, which is often essentially what you have provided.
So, what is the solution? Generally, a network review and overhaul will resolve these. If your network has been cobbled together by hobbyists, then you need to talk to us for a review of your situation.
What is a good-looking network? Well, something like this one, again please note the quotation regarding inaccuracies. Here the business has three separate networks each with it’s own Wi-Fi SSID (class of passenger), but in this case, each class is essentially on a separate deck in the aeroplane with locked doors between each deck, or even possibly three separate aeroplanes.
In computer terms, this doesn’t mean that you need three separate routers, Internet connexions etc. With the correct equipment, equipment that is used worldwide in your industry and in almost every industry offering reasonable to sublime services to customers, a single router can be put in place that creates these three separate networks using software; these networks are called Virtual Local Area Networks, or VLANs. If your router is configured correctly then these VLANs will be invisible to each other, meaning that Guests can’t sniff your bank details or customer information, nor can they sniff each other in the guest network or POS. If you want to be even more secure, then you could setup a separate VLAN per guest room and completely separate everyone.
This is just the standard way of providing the services which these days are considered as essential as hot running water.
Some other benefits to “doing it properly”.
Larger venues, ever find that some guests can’t connect if you have more than 150 or so? If you haven’t separated your networks, as shown above, then you will run into problems with more than a certain number of guests.
When you have a basic router setup each new user is given a ticket, like the boarding pass we mentioned earlier, which is called a ‘DHCP lease’ (Community Classroom will provide a lesson on this at some point). Generally, with basic routers, you will only ever have around 248 of these boarding passes to hand out; once they are all allocated no one else can ‘board the aeroplane’. You might think that 249 is a lot, but remember that everyone is on the same network which means that your POS systems have a ticket or two, or three per POS, your staff have a PC or laptop and a phone or two, guests might come with two devices each if staying and network devices such as switches, Wi-Fi access points, routers, printers etc. all require one of these tickets so you could easily be down to 150 before you know it, and what do you do when that big conference arrives?
One way to provide more boarding passes, and leases, is to use VLANs to separate the groups of users, such as GuestVLAN, POSVLAN, InternalVLAN. Each of these VLANS gets 248 leases (boarding passes) which means that your internal staff and devices aren’t taking up leases which your paying guests could be using.
What if you need more than 248 leases on one network, maybe a large venue, concert or a bunch of events on your property? Given the correct equipment and correct configuration we can extend the leases to support 1,000 concurrent users, devices etc. all on the same Wi-FI SSID, e,g, ‘Waiheke Chill Fest Guest’.
I’ll just mention one other benefit of taking the same consideration for your tech offerings to guests as you do the other offerings you have.
Imagine, if you will, offering conferences or other business functions, say to “NZ Fruit Growers Org”, as an example. If you take your tech offering seriously then it is easy to fire up a new, secure and separate Wi-Fi network on a secure VLAN customised to the conference you are hosting! Imagine being able to temporarily offer a secure network called “NZFruit” with their own password and only accessible to the conference. Think of the prestige of offering such a customisable aspect to your conference or business package offerings, especially emphasising the security that they will enjoy.
If the above is in any way relevant to your business, then please contact us and ask for a free review of your situation and one of us will come and look around. We are all part of the Waiheke Island Community, and we want to make you safe and help improve your offerings, so we will do a free review for you. If you want to offer a sharing platter and a few glasses of local wine then we obviously won’t quibble and might even fix a few things whilst there, if possible 😉
Contact us on …… 098705698 support@islandtech.nz 28 Belgium Street Upstairs above Rendezvous' Café
Just remember, Don’t Panic!
Just talk to us. Jamie, Tim and Richard
Comments