The Observatory Hotel makes spam an unwelcome visitor

With only a small IT staff, yet a significant amount of its business being conducted electronically, cyber security is an issue high on the priority list of Grant Raubenheimer, Hotel Manager of the Observatory Hotel in Sydney.

The 100-room hotel employs 145 staff to perform tasks that include managing reservations and servicing rooms, but relies on a barebones IT department to manage its computing resources.

It is the lack of specialized IT staff that makes SMBs like the Observatory Hotel a soft target for spam.

"For a small business, it's the unknown - not knowing what to do for your business to operate," Raubenheimer said. "With a bigger operation, you're able to put more resources into IT security."

But resources or no, the hotel relies on its network of about 10 servers and 60 computers for property management, communication and back office functions, so the possibility of a security breech is too grave an issue to be ignored.

"We utilize the computers all the time to manage the business," Raubenheimer said. "There are things we have to deliver, and if these [systems] crash, then we have a problem."

More than 20 percent of the hotel's business is conducted via email, Raubenheimer said. But while the hotel receives over 30,000 emails a month, more than 55 percent of these are estimated to contain viruses or to be spam.

Besides costing the hotel bandwidth, leaving staff to deal with potentially malicious email is a drain on time, could lead to viruses being installed, and runs the risk of having sensitive information revealed to phishers.

To avoid such complications, the Observatory Hotel turned to a combination of anti-virus and anti-spam software and services.

"I suppose it's the philosophy, 'To be sure, to be sure'," Raubenheimer said. "If we can stop it [a malicious email] before it gets into the hotel, it's great for us; we don't have to worry about it, and we don't get the staff going, 'is this a legit email? Do I double click on the link? Do I open the executable file?'"

The hotel originally purchased Trend Micro's anti-virus product to provide a layer of security on its Linux servers. However, as the product focuses primarily on viruses, it did not stop a large amount of spam from getting through to the hotel.

So when the hotel migrated from Linux to Microsoft Exchange to enable remote email access, it took on an additional layer of security through MessageLabs' Protect service. The service filters out spam and viruses at Internet level, which saves bandwidth and employee time for the hotel.

"I do find that there are products out there that pick up on a virus quicker than others," he said. "In the time that we've been running the programs, we've never had an issue."

Acceptable use

Following the new implementation, the next step for the hotel is to make sure that its employees are aware of cyber-security issues and how they can be avoided. All employees are required to agree to the hotel's Acceptable Use Policy before using the Internet each day.

"It [the policy] educates the employees as to why there are things that you can and you cannot do," Raubenheimer said, "so that we know that everybody in the organization knows exactly what is required and why we do it, and what we as an organization should be doing in order to make ourselves more secure."

In addition to the policy, the hotel has systems in place to block known pornographic or otherwise time-wasting URLs, and disable executable files from being run.

"Whatever we put into the system, we're very cautious about the security aspect," Raubenheimer said. "We will put the measures in place so that we are not compromised."

While these electronic roadblocks could potentially mean that legitimate emails are filtered out and reservations are lost, Raubenheimer has not yet been faced with any such problems. MessageLabs expects only one legitimate email in about 250,000 to be stopped, and besides, as Raubenheimer says, "it's better to be safe".

Raubenheimer's penchant for safety costs the hotel around two thousand dollars per year, but he says that is "not a huge investment" for security.

"You weigh up the cost benefit of downtime and having to recover data, and of being safe, and if it costs you three, four thousand dollars, then it's a small price to pay," he said. "It's our insurance policy."


Copyright © 2006 IDG Communications, Inc.

Shop Tech Products at Amazon