Guests who come into your park place a great deal of trust in you by providing you with their personal and private information. In order to reduce the risks to guest data, you should seriously consider the confidentiality, integrity, and availability of your data. The following tips and highlights can help you to protect the sensitive and private information that has been entrusted in your care.
First, make sure you secure your guests’ information, treating it as if it were your own. This first step is an absolute must; because if somebody can pick up your data and walk away with it, your data is not safe. Some good examples of secure storage might include:
- a locking filing cabinet behind a front desk
- a password-protected computer in a back office
- a locked strongbox, secured to the floor or wall
No matter what you use to keep your guests’ information secure, it makes sense to place it in view of an always-on camera. That way, you can see who has accessed your guests’ data and when.
People who regularly handle customer data such as addresses, phone numbers, and other personal information should be trained and educated on how you expect guest data to be handled and stored. Everybody in your office should be aware of where you store your information, who is allowed to access it, and who should be alerted if somebody tries to access your data without permission.
Once you have your information secure, it becomes an ongoing challenge to keep that data secure. Throughout your day-to-day operations, various people will need to access and possibly make updates to your data, and it’s important to account for who made those changes and when. For example, most computer spreadsheets and databases will record anytime information is changed, along with the user responsible and the time. This recording action is why it is vital to data integrity to have separate user accounts for everyone who might access guest information. Later as you scale your business, you can take these user accounts and fine-tune who can see what data and when.
Creating user accounts can also help with a variety of access and accountability tasks that come up around guest information. With user accounts, you could delegate somebody as a supervisor or manager, allowing that person to make new accounts for new staff, while also preventing that person from seeing sensitive financial data such as reports or vendor invoices. This granular control of who can see your data will allow you to feel more confident that your information is accurate and up to date.
Additional questions around data security arise due to the issue of social engineering in all its forms. While a classic problem, social engineering continues to be a trouble spot for many organizations, including those of us in the outdoor recreation space. Whether it comes in the form of an email asking for bank account information or a seemingly helpful person asking for guest information, the people who help run your day-to-day operations should be educated to not reveal personal or financial information without first getting explicit authorization from the guest and verifying the identity of the person requesting such information.
In order to ensure that your data remains available for use, your on-site networks should be regularly inspected, just like any of your other systems and facilities. At a minimum, your network should have a modem for internet access, along with a router or switch to allow more than one device to connect to the network. While many, if not most, internet modems have switching and routing built-in, this would mean putting all of your network equipment into a single device, which if it fails will take down all of your network. Smaller parks are likely okay with these occasional outages, but larger parks with more interconnected devices, such as smart meters, would do well to have discrete pieces of network hardware.
When a new piece of hardware is added into your network, such as a modem or a wireless access point, you should take care to read through the manual and log into the system in order to set your own unique password. While almost all new equipment comes with a password built-in, you should never trust that this default password will be unique and unknown to others. When inspecting your network hardware, it would be useful to take a picture of each piece of equipment for later reference. These reference photos can help you to see if any unexpected or unauthorized devices have been added without your knowledge.
If you are already feeling confident with these steps, we here at Campspot strongly encourage anybody who wants some extra peace of mind around data security to look into the PCI-DSS compliance framework. This framework is a widely accepted industry standard and as of 2019, the hospitality industry had the fewest PCI compliant organizations. By successfully completing the PCI-DSS Self-Assessment Questionnaire (SAQ), you should be able to identify any gaps in your current processes and procedures and save on owing non-compliant fees.
In closing, there are some reasonable steps all of us can take to make sure our guests’ data is well protected. First, make sure your data is stored securely. If anybody needs to access this data, make sure the access is well documented and recorded. Finally, make sure that your physical networks are inspected on a regular basis in order to maintain connectivity and prevent unauthorized devices from living on your networks.