No reservations for cyber hackers in the hospitality industry
It is no surprise to anyone that certain industries are more of a target for cyber criminals than others, although today all businesses are a likely on the radar. One high-value target is the hospitality industry. According to Verizon’s 2015 Data Breach Investigation Report, the data-rich hospitality industry continues to struggle in this area, with accommodations ranking as the industry with the highest reports of incidents as well as data losses. White Lodging, whose portfolio contains 169 properties, was the victim of data breaches twice within a year. Restaurant owner P.F. Chang’s suffered a high profile breach as did Starwood Hotels & Resorts.
Enticed by the industry’s high customer volume and access to personal data, cyber thieves have no reservations about attacking hotels, restaurants and hospitality entities. Bob Russo, general manager of the PCI Security Standards Council, has stated that “franchised hospitality locations are at an exponentially greater risk. Standardization of computer systems among the franchise (and hospitality) models is common and, in the event a security deficiency exists within a specific system, deficiencies will be duplicated among the entire franchise base.”
Unfortunately, the common belief is that many hospitality businesses are not implementing best security practices because of the lack of an industry standard, poor implementation by franchisees, and the overall nature of the hospitality businesses, such as high staff turnover and easy access to data.
Tips to manage your cyber risk
Given that cyber criminals have identified the hospitality sector as a soft target, what can be done to deny the criminals a reservation at your establishment?
Here are 10 tips from industry watchdogs:
1. Minimize data collection. If you do not need it, then do not collect it.
2. Understand and comply with PCI-DSS (Payment Card Industry Data Security Standard, a proprietary information security standard for organizations that handle branded credit cards). Make sure your business is completely aware of its “cardholder data environment” and is providing appropriate protections.
3. Find and digitally shred unneeded information. Old, forgotten data is dangerous. Don’t be “data blind” — eliminate what you no longer need.
4. Limit access. Employees should be on a “need to know” basis with PCI and HR data.
5. Split up your network. Create electronic firewalls that limit the spread of viruses and attacks.
6. Encrypt!!! Proper encryption renders hacked data unusable.
7. Understand your network. Review network logs for unauthorized activity and make sure your security professionals do, too.
8. Security is not just for IT professionals; make sure your entire organization creates and respects a culture of privacy that prioritizes security as the basis for all of its operations.
9. Have a comprehensive incident response plan in place and test it regularly through desktop exercises.
10. Work closely with your broker and an insurance coverage attorney to procure appropriate data privacy insurance.
Checklist for purchasing data privacy insurance
This last point cannot be stressed enough. The market for data privacy insurance continues to evolve as insurers use vastly different forms to write the coverage. Because of the disparity in the policies, where the devil is truly in the details, it is imperative for the hospitality industry to be more proactive in purchasing cyber insurance. Here are some tips in placing data privacy coverage: Use a team approach in purchasing cyber insurance — insured, broker, coverage counsel.
- Use a team approach in purchasing cyber insurance — insured, broker, coverage counsel.
- Understand your risk profile.
- Review existing coverages to know what is already available in your current program.
- Put into place other data privacy coverage as needed.
- Understand that data coverage is broader than just “cyber.”
- Ensure there is coverage for using cloud services.
- Negotiate for a retroactive date of at least one year.
- Know what legal counsel and vendors will be supplied by insurers.
- Carefully review the insurance application.
Ransomware: The next frontier for the hospitality industry
According to a report from Intel Corp.’s McAfee Labs, the number of cyberattacks where malware holds user data “hostage” is expected to grow in 2016 as hackers target more companies and advanced software is able to compromise more types of data.
Malware encrypts files on a system’s hard drive using an unbreakable key, and this is decrypted by the attacker once a ransom is paid, typically by online currency, such as Bitcoin. The malware is usually delivered via email, which makes the hospitality industry particularly susceptible in light of current trends to communicate with customers through email.
The best defense is a robust backup of all data in an offline environment. Companies also must ensure their computer networks are regularly updated with security patches. Jens Monrad, systems engineer at FireEye, notes “most malware will execute with the same privileges as the victim executing the payload. If the person getting compromised has local or global administrative privileges, the malicious code will have access to the same resources.”
Cyber insurance is the ultimate backstop in a cyber extortion situation. It can pay the ransom as well as the cost of restoring the network. But remember, it is critical that the insurance be properly placed at inception to ensure the coverage is there when needed.
Check-in time for the industry
This year is likely to see a new rash of high-profile breaches in the hospitality industry. Hotels, management companies, and restaurants are all vulnerable and remain prime targets for criminals. When it comes to deterrence, the best defense is an aggressive offense. Now is the time for action.
Collin Hite leads the Insurance Recovery Group and the Data Privacy & Security practice at the law firm of Hirschler Fleischer in Richmond. Hite may be reached at (804)771-9595 or [email protected].