It’s a common practice in the hospitality industry to rely on third parties for technology software, services and infrastructure in order to focus on core business. Unfortunately, there have been several shocking IT or data security breaches in the past few years resulting from third parties being compromised.
Some of these were reputable and trusted partners who provide security defenses, such as Fortinet, Juniper and, most recently, SolarWinds. Leading hospitality solution providers have not been immune – breaches have occurred at Oracle Opera and Sabre as well. This all means there’s a high probability you’ll be impacted by a third party security breach.
Managing this area of risk is considered one of the most challenging cybersecurity issues today. Experience shows that using third parties doesn’t prevent harm to your brand or reputation. Further, a third party security breach can leave your company with unplanned and significant out of pocket costs. Thankfully, there are known blind spots to avoid and best practices are emerging that can help us now.
Blind Spots to Recognize
+ An incomplete inventory of third party vendors that needs updating
+ Basing trust solely on market leaders who are vulnerable, including large and reputable companies
+ Overlooking current vendors and only vetting new potential vendors
+ Overdependence on audit reports, which are a snapshot in time with limited scope
+ Not giving attention to application security or source code used by vendors.
Practices You Can Adopt Now
This doesn’t mean you need to look for an alternative provider if you have current IT vendors who need to improve their security posture. But you do need to assess them and work to agree on specific actions and timetables to address any deficiencies.
1. Require vendors to conduct annual Independent penetration or “pen” testing for networks, operating infrastructure and applications.
This is a way to locate weaknesses that malicious hackers could attack. Vendors should commit to specific target dates for remediating any weaknesses found. You’ll need to do re-testing to verify the fixes were done correctly.
Only qualified, ethical hackers should do this type of testing. It needs to include both networks and applications, with internal and external testing. Make sure you can either select or approve the testing company.
Require a summary report that prioritizes the weaknesses found and identifies high level descriptions of actions to take.
Negotiate the cost of pen testing with the vendor because they can use it for their entire customer base.
2. Review certifications and other requirements that necessitate ongoing and sustained vendor efforts.
The Cloud Security Alliance (https://cloudsecurityalliance.org) maintains a Security, Trust Assurance & Risk (STAR) registry for cloud service providers. It offers different levels of assessments and certifications, but even the basic level 1 requires strong vendor commitment and accountability related to publishing assessment details publicly.
Another type of assurance is an ISO/IEC 27001 certification. It’s stronger than an individual audit report because it requires continuing attention to manage policies, processes and procedures rather than just evaluating mitigating controls. In addition, it incorporates the management actions needed to support a strong cybersecurity posture, such as providing resources. The ISO/IEC information security standards are written for general commercial practice for organizations of all sizes and across industries. Vendors with this certification receive a “Mark” that can be checked and verified. You can find more information at: https://www.iso.org/isoiec-27001-information-security.html
The PCI Security Standards Council website (www.pcisecuritystandards.org) is a valuable resource for payment card data protection. This site offers third-party payment guidance for merchants. It also maintains a list of validated payment software and secure SLC (Secure Life Cycle) qualified software vendors. You’ll also find information on when to request an Attestation of Compliance (AOC) with the Self-Assessment Questionnaire (SAQ), Form D for Service Providers.
3. Review Contractual Controls
The best time to address contractual controls is before you engage a vendor. Take steps to enact a cybersecurity review and approval process before you sign new contracts. Set up a simple governance procedure to have your information security officer document an internal approval/disapproval signature for new and amended or renewed contracts.
Be sure to include key contractual controls such as requiring the vendor to:
-
Make a timely notification to you of all security incidents with a detailed description. This prevents you from being surprised by reading about a security breach that affects you and your guests in the media.
-
Include a contact name for any questions you may have.
-
Cover all expenses related to communications about the breach. One of the most costly aspects of incident response is delivering information to end users. Communication to your company as the customer isn’t adequate.
-
Let you review and approve communications sent to your guests or employees.
-
Set up a software escrow for business critical systems such as the property management system, revenue management system, etc. in the event the vendor company is sold or goes out of business. You may need access to the source code to arrange support for your existing systems. Software escrows are beneficial to vendors regardless because the copy of code stored in escrow also protects the vendor if their code becomes damaged or corrupted.
-
Finally, use these common sense checks to get a quick read on the security posture of an IT vendor. It’s time to look elsewhere if:
-
They can’t give you the name and job title of the person responsible for managing their cybersecurity program. The CEO, an IT operations manager or software development executive aren’t security professionals. Cybersecurity is a full-time job that requires specialized skills, knowledge and experience.
-
They can’t send you a copy of their policies and technical standards related to cybersecurity.
-
Paying attention to these red flags and knowing who to look for and what to ask of them will help keep you, your guests, and their all-important data, safe.
Lynn Goodendorf, CISO, is a security expert whose previous roles include Group Information Security Officer with Mandarin Oriental Hotel Group and Corporate Risk and Chief Privacy Officer with IHG.
©2021 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent. For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.