In our previous blog post, we shared some of the useful security and risk resources that are a constant source of reference for us. For this post, I’d like to draw on one of those sources, the 2016 Verizon Data Breach Investigations Report, and dive a little deeper by focusing specifically on the hospitality industry.
The first thing to state is that we shouldn’t be surprised that this sector is coming under attack. The Payment Cards Industry Security Standards Council held a recent webinar which you can still access at the organisation’s website. “Cybercriminals are targeting all members of the hospitality industry right now… depending on which research you subscribe to, members of the hospitality industry are among the top three of all targeted groups around the world,” said Stephen Orfei, general manager of the PCI SSC.
The 2016 edition of Verizon’s Data Breach Investigations Report is a comprehensive global look at the state of security and the nature of cyber attacks and breaches. Its insights are based on more than 100,000 security incidents and the report analysed 2,260 data breaches. As a result, it’s possible to break out views of specific industry verticals and Verizon produced a report specifically addressing the threats in the hospitality industry.
This report found that attacks against point-of-sale systems are the most favoured entry point for cybercriminals. “Compromising the computers and servers that run POS applications is still proving fruitful for attackers seeking payment card data. These attacks are a significant threat in hospitality and accounted for three quarters of incidents in 2015,” it said.
Verizon’s report advises reviewing vendors’ authentication and upgrading to two-factor authentication where possible. It also recommends monitoring who uses POS systems and separating this environment from the corporate network. Lastly, it said installing and maintaining anti-virus software is essential. Surprisingly, many POS systems don’t even have AV to protect them.
The next category of incidents are denial of service attacks, which accounted for one in five of all security incidents in the hospitality industry. Unlike many other sectors, insider risk and misuse of privileges is much lower for hospitality providers, according to the DBIR. This category accounted for just 2 per cent of all incidents compared to the industry average of 16 per cent.
Hotels and restaurants are right in the sweet spot for cybercriminals because their business model gives them access to two kinds of highly valuable data. One is payment data for credit or debit cards and the second – more applicable to hotels than restaurants – involves personally identifiable information such as a passport or some form of identity card that customers use to make and confirm a booking. There may even be health information relating to dietary or accessibility requirements.
To complicate the situation further, hospitality organisations often work with third-party suppliers who may need to access specific data. All of this creates big challenges for security, IT and compliance professionals in the sector.
We know from our own work in this sector that compliance in particular is a critical component of this effort, such as the country-appropriate data protection legislation which two years from now will be replaced in the European Union by a harmonised General Data Protection Regulation. What’s more, since most of the industry processes payment card information, they fall under the remit of PCI DSS. One of our large European hospitality customers recently achieved PCI DSS compliance for the group, and they told us that the arrival of GDPR has catapulted the issue of data protection into the boardroom.
Hoteliers shouldn’t underestimate the specific challenges around storing, managing and securing the data they hold. LinkedIn has several groups for the hospitality sector and one of them, the Hospitality Networking Group, has good guidance. I recommend industry professionals should join groups like these as a way to find out more about ensuring their data is stored correctly.
Unfortunately, in some cases, the hospitality industry is not dedicating enough time or people to this issue. Verizon refers to some of the well-known hotel chains that suffered cyber attacks in 2015. What are you planning to do to ensure you don’t become a statistic for next year’s roundup?