Most security professionals will tell you that it is not a matter of if you will be the victim of a data breach; it is a matter of when. That sounds a bit fatalistic and we all like to think that if we do everything we should be doing, we can avoid it happening to us. The truth is, if we do everything we should be doing, we can significantly lower our risk of being a victim by being a less desirable target. That might be enough.
We know that the hospitality industry is a favorite target of cybercriminals based on the two major investigations reports released in 2012. The Verizon Data Breach Investigations Report (DBIR) pointed out that 54 percent of the breaches they investigated were part of the accommodation and food services category which is made up of 95 percent restaurants and 5 percent hotels. The Trustwave Global Security Report indicated that franchise operations are the new target of cybercriminals and accounted for 33 percent of their investigations. That makes the target for a hospitality company a bit bigger.
A few of the more recent headlines were enough to get our attention.
On January 11, 2013, Zaxby’s restaurant chain notified authorities and posted on the company’s website that it had suffered a breach involving credit card numbers which affected 108 stores in 10 states. The breach was discovered when investigators found suspicious files identified as malware present on the restaurant’s POS system.
In November 2012, Fox News reported a string of robberies in Texas where thieves were breaking into hotel rooms by compromising a security vulnerability found in Onity locks used by some hotels. What makes this more interesting is that the vulnerability was demonstrated at the Black Hat Cybersecurity conference in Las Vegas in July of last year and Onity quickly released two different solutions to resolve the issue, one a mechanical fix and the second a firmware upgrade.
In October 2012, the Nemacolin Woodlands Resort in Pennsylvania announced that guests who stayed there between May and July may have had their credit card numbers compromised by a breach the property discovered in its retail (POS) system.
It’s not bad enough that a company may experience a breach, more troubling is the development affecting the Wyndham Hotel Group. Hit with three different data breaches over the past two years, the company was served with a lawsuit from the Federal Trade Commission in June of 2012. In its complaint the FTC stated, “Wyndham’s privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information.” Wyndham has stated it will vigorously defend against these claims.
The expertise and methods used by organized cybercriminals continue to grow in sophistication at a rate faster than our defenses. They have automated their attacks while many organizations are relying on manual defenses. They have customized their malware so that it morphs into new forms that enable it to evade our signature detection antivirus products. They use disposable domains from which they send phishing emails so that they are not blocked by blacklist technologies. Using these and other techniques, they are able to stay one step ahead of most organizations.
If you believe it can happen to your organization, you are taking the first step toward protecting your organizational and customer data.
There are many steps you can take to secure your systems and data; most experts agree that you should start with your employees, or the human factor as it has come to be known. Training your employees on what an incident is, how to recognize it and who to report it to is the best starting point. Don’t assume that they already know. Next, make sure your employees understand their role in protecting all organizational assets including data and systems. That responsibility belongs to everyone, not just the information technology staff which is a common misconception. This training should be continuous and constantly updated to ensure its relevance. If you set your objective to change employee behavior, protecting organizational data will become part of their daily routine.
MARY SIERO, CISSP, CISM, CRISC, is the president of Innovative IT in Las Vegas, www.iitlasvegas.com.
©2013 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.