Group items tagged

Millennials (24- to 35-year-olds) believe they are most vulnerable to a cybersecurity breach when staying at a traditional hotel rather than when booking with Airbnb.

More than 25 million U.S. consumers self-reported that a restaurant visit has resulted in a data breach.

Earlier this year, Morphisec discovered FIN8, a cybercrime group most known for targeting the retail industry, was actively targeting POS systems within hospitality companies in the U.S. and abroad.

“Increasingly, attackers are targeting weakly defended point-of-sale systems as an entry point into the broader hospitality organization network. With many POS devices in the hospitality industry still running on Windows 7 or even Windows XP-based embedded operating systems, they are increasingly vulnerable to breaches, and cybercrime groups are taking notice.”

Hotels need to think about multiple endpoints and the remote connections they rely on to run the property’s operations.

Take advantage of cybersecurity professionals who can identify sources of intrusion, assess the extent of the breach and provide details of the compromised material.

Another group, identified by CrowdStrike as MUMMY SPIDER, is using the coronavirus theme in an "email thread-hijacking technique" that "ultimately led victims to download malware

The security firm said the strategy can be used to steal financial information or login credentials, and expanded to other targets

CrowdStrike also reported a surge in queries from companies who anticipate employees will work from home over the next three months, which can leave company data more vulnerable

Security spending does not equal security effectiveness

here were 4.83 million DDoS attacks attempted in the first half of 2020 alone and each hour of service disruption may have cost businesses as much as $100k on average.

Third party software. The top 30 ecommerce retailers in the US are connected to 1,131 third-party resources each and 23% of those assets have at least one critical vulnerability.

umber of the attempted breaches grew by 250% compared to 2019.

The global market for cloud computing is estimated to grow 17% this year, totaling $227.8 billion.

To strengthen the cloud computing defenses in the future, stakeholders should pay attention to proper cloud storage configuration,

Restaurateurs are not technology experts.

The cost of cybercrime is on the rise around the globe.

Stealing our personal and payment information is something cybercriminals do over breakfast.

For the global economy, cybercrime is one of the greatest collective threats of our time.

It might come as a surprise to many that almost all of the headline-grabbing payment card data breaches we’ve seen over the past few years were entirely preventable.

Most breaches involving credit card data have been neither sophisticated nor “new.”

A study by Verizon stated that 99 percent of breaches in 2014 were caused by known vulnerabilities with fixable patches.

Strong security protection principles that involve people, process and technology all working together in an atmosphere that prioritizes data security are vital for all of us to protect ourselves, our families and our companies.

So what actions can we take today to protect ourselves and our customers? For starters, many companies need to change the way they view security and make it a 24/7 priority. Data security must be deeply ingrained into an organization’s culture, not layered like frosting on a cake but baked in from the start.

The PCI Security Standards Council claims that since March, malicious virus-related reports are up 475%. The reason for the uptick is that cybercriminals are trying to take advantage of rapid changes to the payment-card data environment. In addition, 41% of small businesses have said they’ve suffered breaches costing more than $50,000 to fix.

Contactless payment is one of the big changes within the payment data environment. Several restaurant companies – from chains to independents – are offering it because it reduces customers' physical interaction with the restaurant's POS system. As part of this move, some businesses have eliminated credit-card PIN numbers.

Eliot says malicious email is usually the easiest way for cybercriminals to access your networks. The emails typically show up as urgent requests for sensitive information, often pretending to be from the Small Business Administration or the Centers for Disease Control and Prevention. When the intended victim types in his or her credentials and clicks on a specific link or downloads an attachment, criminals are in.

Anyone looking for easy-to-implement security tips can try these six to start. Reduce areas where payment-card data is stored. The best way to protect against a data breach is to avoid storing any card information at all. With many small operators offering curbside pickup and accepting payment over the phone instead of through face-to-face transactions, it’s important they train employees not to write down payment card details. Instead, have them enter numbers directly into a secure terminal. Use strong passwords. Using weak and default passwords is one of the leading causes of payment data breaches among businesses. Effective passwords must be strong and updated regularly. The most recent guidance is: the longer, the better. Think of it almost as a “passphrase” rather than a password. Use it in the form of a sentence, but mix in different characters within the phrase. It’s much harder to break a long passphrase than it is a short, complex password. Weak and vendor default passwords often result in small business data breaches. Also, don’t repeat your passwords. Update your software often. Criminals look for outdated software to exploit flaws in unpatched systems. Timely installations of security patches are crucial to minimizing the risk of a breach. Whenever updates are available, use them. They will improve performance and close out some of the vulnerabilities cybercriminals are searching for. Enable two-factor authentication. It's so important for restaurateurs, especially where their POS systems or any of their sensitive databases are concerned, to have two-factor or multi-factor authentication enabled. If an instance where credentials are stolen occurs, there will be a second layer of verification the operator can rely on to potentially reduce the chances that information will be breached. Segment your networks. If you are going to store payment data, make sure your POS system has its own separate, secure network. Do not store sensitive documents on public cloud services such as Google Docs or DropBox. If you’re going to store sensitive documents, house them in an encrypted, locked down location.   Be hyper-vigilant. Criminals are going to try to take advantage of this pandemic situation as much as possible. You can protect yourself by not giving out sensitive information, especially within unsolicited emails. Don’t click on links you’re not expecting and do everything in your power to protect all sensitive information.

The COVID-19 pandemic was, in many ways, the perfect storm for an influx in cyber exploitation

With this in mind, cybersecurity should be viewed as a company-wide initiative, with considerations made across each level of any tech-driven organization.

we must also recognize that more sophisticated technology creates an environment for increasingly sophisticated cybercrime

studies show that nearly 80% of senior IT and IT security leaders believe their organizations lack sufficient protection against cyberattacks.

only 5% of companies’ folders are adequately protected

To this effect, global cybercrime damages are predicted to cost up to $10.5 trillion annually by 2025

And for hotels, a security breach resulting in compromised guest data can damage a property’s reputation beyond repair

Instead, companies today should be leveraging a formal cybersecurity program in conjunction with dedicated technology and resources to effectively protect the information housed within their digital infrastructure.

Much like cyber risks are ever-evolving, a hotels’ cybersecurity protocol must also evolve and adapt based on frequent reassessments of risks and vulnerabilities

cybersecurity cannot be treated as an afterthought, nor should it be viewed as an optional investment; rather, it’s the cost of doing business in any data and tech-driven landscape.

the average cost of a data breach is $3.86 million as of 2020

TA505 is a significant player in the global cybercrime scene, and has been a driver of global trends in the cybercriminal underworld. The group targets education, finance, healthcare, hospitality, and retail worldwide. It is also known for its long-term cyberattack lifecycle, sometimes persisting in a target's network conducting reconnaissance for weeks — even months — successfully avoiding detection as it patiently identifies the highest-value targets in the victim’s environment.

The trust that organizations place in their workforce can leave them vulnerable to malicious insiders, who often use particular methods to hide their illicit activities.

Current technology allows seamless collaboration, but also allows the organization's sensitive information to be easily removed from the organization. A complete understanding of critical assets (both physical and logical) is invaluable in defending against attackers who will often target the organization's critical assets.

Critical assets can be both physical and logical and can include facilities, systems, technology, and people. An often-overlooked aspect of critical assets is intellectual property.

Formalized and Defined Program:

Organization-wide Participation:

versight of Program Compliance and Effectiveness:

Confidential Reporting Mechanisms and Procedures:

Insider Threat Incident Response Plan:

ommunication of Insider Threat Events:

Protection of Employees' Civil Liberties and Rights:

Policies, Procedures, and Practices that support the InTP:

Data Collection and Analysis Techniques and Practices:

Prevention, Detection, and Response Infrastructure:

Insider Threat Practices Related to Trusted Business Partners:

Insider Threat Integration with Enterprise Risk Management:

Organizations should ensure policies and controls provide: concise and coherent documentation, including reasoning behind the policy, where applicable consistent and regular employee training on the policies and their justification, implementation, and enforcement Organizations should be particularly clear on policies regarding acceptable use and disclosure of the organization's systems, information, and resources use of privileged or administrator accounts ownership of information created as a work product evaluation of employee performance, including requirements for promotion and financial bonuses processes and procedures for addressing employee grievances

wareness training for the unintentional insider threat should encourage employees to identify potential actions or ways of thinking that could lead to an unintentional event, including level of risk tolerance--someone willing to take more risks than the norm attempts at multi-tasking--individuals who multi-task may be more likely to make mistakes large amounts of personal or proprietary information shared on social media lack of attention to detail

Our intent was to develop a single definition for insider threat that covers malicious and non-malicious (unintentional) insider threats covers cyber and physical impacts applies to both government and industry is clear, concise, consistent with existing definitions of 'threat', and broad enough to cover all insider threats

Most crucially, a cybersecurity strategy must include a solid plan for Business Continuity and Disaster Recovery in order to prepare for any worst-case scenarios. In the era of COVID-19, incidents of the worst kind are fast emerging and businesses deserve a fighting chance to succeed.

Today, the systems used for various functions in a hotel’s back and front operations are manned by employees who are not yet well-equipped to pick up on and counter large-scale cyber-attacks until it’s too late.

Mobile phones, tables and laptops connected to open networks become a hunting ground for hackers to harvest banking details through card payments. 

While financial services and the public sector have been forced to endure an endless stream of cybercrime, the hospitality industry has also become a prime contender for hackers in the wake of its rich data-base. 

No matter the size of the business, inefficient cyber support diverts crucial time from business activities and relationships with customers.

With global business fighting relentlessly to survive against the chaotic threat of the Coronavirus, all industries are exposed to criminal cyber-threats, and so the security of highly sensitive data must be handled appropriately.

British Airways and Marriott International are two major hospitality companies to be victims of high-profile breaches in recent memory. They serve as a stark reminder of the heavy costs faced when the safety of customers’ data is compromised. 

The National Institute of Standards and Technology (NIST) offers cybersecurity guidelines for best practices to manage cyber risk. These include identify, protect, detect, respond and recover. Another resource is the NCSA’s national program, CyberSecure My Business.

Firewall Often referred to as a company's "first line of defense," a firewall is a security control that filters and screens network traffic entering and exiting your corporate network.

People can rely on the password manager to create and store dozens of passwords in an encrypted database without having to remember them.

Password managers are quite helpful, and some are even free.

store the first part of sensitive site passwords

but keep the last few digits memorized and fill them manually.

This way, if there is ever a compromise of the password database, hackers don't have those full passwords.

You should also consider implementing multi-factor authentication (MFA). MFA authentication uses more than one thing or "factor" to log you in

, biometrics is part of this last category

SPAM & Malware filters screen email for unwanted and dangerous elements, blocking them before they ever reach your users.

In the world of cybersecurity, there's a phrase, "humans are the weakest link." An employee who accidentally clicks on the wrong link or email attachment can put in motion a chain of events that results in a cyber breach. Security awareness training is an anti-phishing tactic all organizations should employ.

RDP access must be protected by a VPN connection.

reduce the risk of getting hacked is to ensure your systems and software are updated regularly, or "patched.

patching shouldn't end with the operating system. Your patch program should also look to patch all other applications running on your systems

regardless of the security tools implemented to prevent a data breach, you should plan for a compromise occurring.  

That's where 24/7/365 network and endpoint monitoring comes in

DarkHotel hacking

Customer data/ identity theft 

Over that past few years, the industry’s most well-known brands have all been victims of cybercrime.

Cybersecurity for hotels should always include a process to mitigate any compromised systems should they go down in a DDoS attack.

intends to convince the recipient that he/she should share information

In recent years, this threat has become increasingly sophisticated, with attacks targeting those in authority. The aim is to take over a user’s email account to send bogus emails to colleagues. These emails often attempt to persuade recipients to authorize transactions, which are ordered from above.

Hotels that have fallen foul to this crime have in the past paid more than $17,000 to be able to let guests into their rooms and create electronic keys.

Phishing refers to the sending/receiving of emails that appear to be from a genuine source.

Cybersecurity issues of this nature, often result in customers being out of pocket, and the media getting involved. Which, of course, means bad press for a hotel. Furthermore, there could be financial implications for the business.

Protecting the identity and information of a customer is paramount to the success of any business and hotels ar eno exception.

The attacks use forged digital certificates to convince victims that a software download is safe.

That is often passwords and financial information; this scam is one of the oldest on the internet.

taking information and certain systems hostage. The purpose of this attack was to gain financially from those who paid the demanded figure to free their data/systems.

Every day regular items such as sprinkler systems to security cameras are vulnerable to hijack. After which, entire computer systems can be made to come crashing down.

And that means somewhere there is a weakness in the system which has been revealed by human error.

criminals use a hotels Wi-Fi to target business guests.

ncourage guests to use virtual private networks (VPN) if they plan on conducting business with sensitive data.

Especially when there are criminals from all over the world trying to steal identities, and credit card data.

his crime is forever changing.

for hotels, an almost perpetual arms-race to secure both data and networks.

Phishing refers to the sending/receiving of emails that appear to be from a genuine source