Group items tagged

Restaurants, hotels, and other companies in the hospitality sector often have complex ownership structures in which theres a franchisor, an individual owner or group of owners, and a management company that acts as the operator.

A vital part of protecting data is training staff to securely gather and store personal information.

The high level of turnover and high degree of staff movement between different locations makes it a real challenge to maintain teams of well-trained staff

Industry and political regulators are becoming stricter in governing how organizations process and store personal data.

This type of data risk is more subtle and it involves employees selling data to third parties without the knowledge of the organization that employs them.

Yet, more than 30% of staff surveyed by Wombat Security Technologies didn’t even know what phishing or malware was. This is probably why scams like the Business Email Compromise (BEC) result in whopping losses of over $3 billion (according to the FBI).

But as humans, hoteliers make mistakes, they’re trusting of fake identities, tempted by clickbait, and vulnerable to other sneaky tactics used by criminals to gain access to company information.

Staff need cybersecurity training to protect themselves and the hotel against cyberattacks.

By making employees aware of security threats, the impact they might have on your business, and what procedures to follow when a threat has been identified, you’re strengthening the most vulnerable links in the chain.

The World Economic Forum in their latest report, The Global Risks 2019, puts cyber-attacks and data theft into the higher-than-average likelihood bracket during 2019.

To achieve these record levels of data breaches and cyber-threats, cybercriminals are focusing their attention on the manipulation of human behavior.

So how do we counter these threats? Education, education, education. 

Security awareness training is not a point event or solution, it is a process. Security awareness comes out of a series of ideas, thoughts, and preparations that are used to develop a holistic security awareness training program.

Identify the Specific Cybersecurity Needs of the Hotel/Property   

Include Cybersecurity Awareness Training During Onboarding

Cover Relevant Topics

Make Staff Cybersecurity Training An Ongoing Process

We all make mistakes and occasionally slip up. It is really important that staff know that they can come to you and that they are free to report problems without there being a risk of them losing their jobs. This will come from your personal management style. 

Cybersecurity is everyone’s responsibility, whether you are C-level, management, accounting, housekeeping, maintenance, or reception, it does not matter. Everyone needs to be made aware of the hotel’s individual cybersecurity policies, attitude, and culture. 

Continuously send reminders via email, Slack, or any other messenger your hotel may be using with reminders to change passwords, to update anti-virus programs, and with information about the latest phishing techniques.

If you create a culture of cybersecurity awareness within your organization, then the chances of your organization becoming a victim are greatly reduced.

but the number one is that they all process credit cards.

assets targeted by criminals were point-of-sale software systems

Think of the scenario of a hotel that maintains a restaurant, a spa, as well as other services all connected to one POS system

The risk is even greater when hotels are part of a hotel chain with interconnected systems.

Franchise businesses are particularly at risk primarily because franchises tend to have the same POS system duplicated at all locations

Most of the time these business don’t have trained security professionals on staff; instead most assume their IT personnel are taking care of all of their security needs.

76 percent of environments we investigated had a third party introduce a security flaw within the environment that contributed to criminals being able to compromise data.

Another alarming trend we found in our investigations was that self-detection of breaches decreased in 2011, and only 16 percent of victimized organizations actually detected the breach themselves.

The best intrusion detection systems are neither security experts nor expensive technology, but employees.

Very often businesses ignore that fact that while their employees might not be security experts,

the POS screen looked differently than it had the day before.

The cashier reported it to the company’s security hotline and sure enough there was a cybercriminal on the system.

When working with third parties, always build in security requirements into the contract and impose policies and procedures such as good password policies to ensure tight control and better security.

The quicker an organization can identify an issue and respond to a breach, the less likely they will experience the deep penalties, both financial and to their brand.

Operational activities such as reservation

cloud-based and offer many possibilities for a hacker to intrude

access to confidential information.

their exposure and dependence on third-party software that may be vulnerable.

Marriott, Hyatt and Sheraton released a list of twenty affected properties between March 2015 and June 2016.

95% of all data breaches can be traced to human causes.

poorly trained against cyber-attacks due to a lack of global risk vision from the management.

As stated by one of the speakers, hotel companies are still reflecting on what shall be done if they suffer a cyber-attack and not what should be done when they suffer a cyber-attack.

How can non computer-savvy directors and board members take strategic cyber-security decisions? Who is responsible: the property, the owner, the chain? One thing remains certain : it is time to get serious about security!

dark web “chatter’ breakdown reveals Hilton had a 31% share of mentions on hacker forums followed by Marriott at 28% and IHG at 19%

Marriot recently revealed that its data security breach had cost the company $28 million.

It’s unsurprising that as the aviation industry grows and airlines look to adapt their distribution models, cyber attacks and other fraudulent activity also increases.

Air Europa says that as it went through its digital transformation, it needed to handle fraud more efficiently.

the airline industry saw a 29% decrease in fraud attacks in 2018, but the company attributes that the large data hacks involving passport details have not yet “been reused to commit air travel fraud.” 

five of the biggest data security concerns in the hospitality industry and highlights some best practices for protecting hospitality data.

Data Security Concerns in Hospitality

complex ownership structures

From the perspective of cybercriminals, hospitality appears to offer an ideal target vector for conducting crimes such as identity theft and credit card fraud due to the existence of multiple databases and devices containing both Payment Card Information (PCI) and Personally Identifiable Information (PII).

challenge to maintain teams of well-trained staff.

t was reported in 2017 that out of 21 of the most high-profile hotel company data breaches that have occurred since 2010, 20 of them were a result of malware affecting POS systems.

can go unnoticed for months.

High Staff Turnover

In the U.K., for example, the job turnover rate in hospitality is as high as 90 percent.

Reliance on Paying By Card

t involves employees selling data to third parties without the knowledge of the organization that employs them.

Insider Threats

Compliance

cyberattacks such as phishing, ransomware and distributed denial-of-service (DDoS) attacks are on the rise.

Cloudflare

a major US cybersecurity firm that provides protection services for over 30% of Fortune 500 companies

"There's been an enormous amount of insecurity around the world,"

"I think 2023 is gonna be a busy year in terms of cyber attacks."

Experts warned that cyberattacks are increasing in sophistication and frequency.

“This is a global threat, and it calls for a global response,”

“This is a global threat, and it calls for a global response and enhanced and coordinated action,” Jürgen Stock, the Secretary-General of the International Criminal Police Organization (INTERPOL),

“The key to winning the battle against cybercrime is, of course, to work together to make it a priority across the geopolitical fault lines.”

This concern has been raised particularly around critical infrastructure sectors like energy, public transportation and manufacturing. SecurityScorecard, a US cybersecurity rating and analysis firm, reported recently that 48% of critical manufacturing companies surveyed were at significant risk of a cyber breach.

“Vulnerabilities within the critical manufacturing sector haven’t gone unnoticed by cybercriminals either,” said Aleksandr Yampolskiy, SecurityScorecard's CEO.

The Forum's report also notes that the potential targets for cyberattacks are increasing. Today, targets include not only government agencies or major corporations, but largely any organization that handles consumer data—no matter how small.

There is no such thing as a hundred percent security. It's about resilience in the face of insecurity.”

“

Consumers, too, need to increase their cybersecurity awareness in 2023, experts say.

As more things get connected to the internet there's just more risk. ”— Matthew Prince, Cloudflare CEO

Zero Trust approach to cybersecurity, which creates a framework that eliminates implicit trust and ensures that any user—even those who are supposed to be inside an organization's network—is authenticated and validated at every turn.

The PCI Security Standards Council claims that since March, malicious virus-related reports are up 475%. The reason for the uptick is that cybercriminals are trying to take advantage of rapid changes to the payment-card data environment. In addition, 41% of small businesses have said they’ve suffered breaches costing more than $50,000 to fix.

Contactless payment is one of the big changes within the payment data environment. Several restaurant companies – from chains to independents – are offering it because it reduces customers' physical interaction with the restaurant's POS system. As part of this move, some businesses have eliminated credit-card PIN numbers.

Eliot says malicious email is usually the easiest way for cybercriminals to access your networks. The emails typically show up as urgent requests for sensitive information, often pretending to be from the Small Business Administration or the Centers for Disease Control and Prevention. When the intended victim types in his or her credentials and clicks on a specific link or downloads an attachment, criminals are in.

Anyone looking for easy-to-implement security tips can try these six to start. Reduce areas where payment-card data is stored. The best way to protect against a data breach is to avoid storing any card information at all. With many small operators offering curbside pickup and accepting payment over the phone instead of through face-to-face transactions, it’s important they train employees not to write down payment card details. Instead, have them enter numbers directly into a secure terminal. Use strong passwords. Using weak and default passwords is one of the leading causes of payment data breaches among businesses. Effective passwords must be strong and updated regularly. The most recent guidance is: the longer, the better. Think of it almost as a “passphrase” rather than a password. Use it in the form of a sentence, but mix in different characters within the phrase. It’s much harder to break a long passphrase than it is a short, complex password. Weak and vendor default passwords often result in small business data breaches. Also, don’t repeat your passwords. Update your software often. Criminals look for outdated software to exploit flaws in unpatched systems. Timely installations of security patches are crucial to minimizing the risk of a breach. Whenever updates are available, use them. They will improve performance and close out some of the vulnerabilities cybercriminals are searching for. Enable two-factor authentication. It's so important for restaurateurs, especially where their POS systems or any of their sensitive databases are concerned, to have two-factor or multi-factor authentication enabled. If an instance where credentials are stolen occurs, there will be a second layer of verification the operator can rely on to potentially reduce the chances that information will be breached. Segment your networks. If you are going to store payment data, make sure your POS system has its own separate, secure network. Do not store sensitive documents on public cloud services such as Google Docs or DropBox. If you’re going to store sensitive documents, house them in an encrypted, locked down location.   Be hyper-vigilant. Criminals are going to try to take advantage of this pandemic situation as much as possible. You can protect yourself by not giving out sensitive information, especially within unsolicited emails. Don’t click on links you’re not expecting and do everything in your power to protect all sensitive information.

determine whether the latest cyberattack is more significant than the 2016 breach of the ICH systems. Initially thought to have been a minor breach that affected 12

Between September 29 to December 29, 2016, 1,175 properties were infected by malware designed to steal credit card data

Marriott International has been breached thrice, resulting in the compromise of the personally identifiable information of up to 338 million guests

Marriott was also fined £18.4 million ($23.8 million) by the U.K’s data regulator Information Commissioner’s Office for failing to protect the data of the 338 million guests

This is yet another reminder of the damaging impacts of cybercrime. Not only is IHG potentially getting held to ransom for its data access, but it is also losing out on customer bookings

Organizations should use this as a warning to never gamble with their cyber defenses. After all, the cost of preparing and preventing an attack is far less than the cost of recovering from one

Data breaches, on average, cost organizations $4.25 million in 2022, according to IBM’s 2022 Cost of Data Breach report.

hat means contingency plans must be updated on a regular basis and security plans must show adequate flexibility to incorporate good customer service and proper protection.

the latest threat to the industry was underlined by the hacking of Marriott International’s Starwood database, potentially exposing the personal information of approximately half a billion people.

This cyberbreach serves as an example that the world of tourism security is fast-changing.

 It is essential that every tourism entity assume that, at some point, it will suffer some form of attack, whether physical or cyber. Do not wait for an attack to occur to begin to figure out how to mitigate the damage. Remember that an attack not only damages the client, but it also harms the entire industry.

93% of companies without a disaster recovery plan who suffer a major data disaster are out of business within one year.

SMBs simply don’t have the resources to survive breaches and are risking their entire business by not fully preparing against attacks.

Research suggests that 70% of consumers would stop doing business with a company if it experienced a data breach.

even for businesses who can survive a breach and save their data, long-term consequences can be dire.

Consider a true next-gen antivirus for everyone under your network to minimize the potential for attack.

By keeping all your data periodically backed up in secure data centers, you can rest a lot more easily knowing that should the worst happen, you can respond quickly and effectively.

One of the most effective ways of counteracting the dangers of cyberthreats is by training employees and establishing policies around a security strategy.

Nationally, the number of unfilled cybersecurity jobs is estimated to be 464,000, including 3,800 in Connecticut, according to Cyberseek, which is backed by a subdivision of the U.S. Department of Commerce.

Then, ask yourself, “What does our company have in place to mitigate our exposures?”

Do we have an effective privacy policy?

Do we have an effective privacy-breach response plan?

Do we continuously test our disaster-response and business-continuity plans?

Franchise concerns

Franchise agreements should address several important data-security concerns, cyber-insurance, breach notification and PCI (payment card industry) compliance.

Franchise agreements should require franchisees to purchase a specified amount of cyber insurance coverage in the event of a data breach.

In addition, the franchisee should be required to promptly notify the franchisor of all breaches in security and immediately notify the franchisor of all breaches of sensitive information.

The franchisor may also want to consider being notified of any impermissible uses or disclosures

Cyber attack realities The ramifications of a cyber breach could be both financially and operationally catastrophic to any hospitality company. Losses could include costs associated with litigation expenses and fines as well as defense. The cost of business interruption and loss of income could be debilitating.

The report states that hotel Wi-Fi often has more lax security than other types of common Wi-Fi networks, and that attacks are frequently interested in obtaining guests’ information, including credit-card numbers, as well as business data

“Evil twin” attacks, in which hackers create fake Wi-Fi networks similar to those of the actual hotel, can also happen

Online gambling upstart Ignition Casino offers Blackjack, Slots, Poker on its website; fortunately, the company has also taken the requisite security measures for bolstering its website security and email security.