Common-Sense Cyber Security for Hospitality
Approaching the two-year anniversary of the United States Court of Appeals ruling in the case FTC v. Wyndham Worldwide Corporation, it makes sense to revisit an issue that remains critical to the hospitality industry: information security. The Wyndham decision, and the massive growth in cyber-attacks since, should prompt every hospitality business leader to consider whether they have taken the steps necessary to protect guests and, ultimately, the hotel owner.
For the hospitality industry, the rampant proliferation of easy-to-use hacking tools and number of bad actors willing to deploy them means that executives need to “up their game” to stay safe. But how? After reading the headlines and seeing some of the world’s largest organizations devastated by breaches, the complexity of the matter can be overwhelming. But it doesn’t have to be. The right approach can simplify matters greatly.
These three principles should streamline your efforts:
- Protect only what needs protection.
- Think holistically.
- Think like an attacker.
First, it’s important to understand that the goal isn’t to protect everything. This selectivity is important because there are always limited resources and we can’t absolutely secure everything. In the words of Alexander the Great: “When you defend everything, you defend nothing”. So, the goal is to first determine what an attacker wants and to then make the effort so great as to move them onto other, easier targets.
We do this by securing only the data that:
- You’re required by law or regulation.
- Examples include: Sarbanes Oxley Act, Federal Trade Commission, PCI-DSS
- You can’t afford to be made public.
- Examples include: Client privileged information, Mergers and acquisition plans, Internal dialogue on sensitive matters
- Is truly critical to your continued operation.
- Examples include: Intellectual property, Client data, Personnel records, Accounting and tax information
- Can facilitate attacks against you or your clients.
- Examples include: Personal contact data, Personal addresses
Second, you need to determine what information an attacker wants and how they would take it. To do so, you must think holistically and like an attacker. Essentially, you need to know how real attackers would actually take action, and not how defenders imagine them to act.
The Holistic Approach
The cliché “the whole is greater than the sum of the parts” truly applies to cyber security. As you may have read, there is acceptance within the field that technology alone cannot address the threats we face.
Simply, attackers are using the growing number of points where you are exposed (called “threat vectors” and “attack surfaces”) to the extent that technical, physical, or human countermeasures must work together to stand a chance of success. It doesn’t help that in the rush to get new consumer products to market, device and software manufacturers are giving little attention to security.
Central to this issue is the age-old balance of security and efficiency. To make good use of the efficiency and convenience that computers and the Internet offer, we open up access to ourselves and our organizations. This greater sharing means that we’re forced to rely upon humans to exercise good judgment. As we know, judgment is one of those things that technology can help with, but cannot be solely responsible for.
So, even though we may wish to apply purely technical solutions to what we generally view as purely technical problems, we need to understand that even the best technical security tools are rendered ineffective by improper human action. There is some good news, however; good cyber hygiene enhances these same technical tools.
The question then is how to harden your technology, personnel and physical defenses so they work together? The answer is a holistic cyber security perspective.
Only by comprehensively examining the technical, human, and physical cyber security vulnerabilities that could endanger you can a truly effective information security program be developed. By viewing the organization as an association of people and processes within a physical domain rather than just a series of devices on a network, you gain a far more accurate perspective of an organization’s defensive capability and resiliency. Importantly, this is exactly how an attacker sees any organization.
The Attacker Perspective
The perfect complement to a holistic security approach is the attacker perspective. The true value of any security assessment is an accurate analysis of how real attackers would actually take action, and not how defenders imagine them to act. By thinking like an attacker, you increase the likelihood of developing truly effective security measures. This is the core concept of ‘red teaming’ and penetration testing.
Worth noting is that while it may be easy to say that you are adopting the attacker perspective, this is actually quite hard for most people, simply because they don’t have the natural capacity to think that way.
On the other hand, it is completely natural for attackers to:
- Use public data for targeting.
- Determine who has direct and indirect access to what they want.
- Know how to manipulate those persons.
- Identify, analyze and rank order security gaps.
- Know how those gaps can be used to achieve their goals.
- Find buyers for stolen information.
- Use stolen data to target, plan, and execute separate attacks.
In most cases, a malicious actor will use the easiest and safest way to mount an attack, following this general process:
As you know, the pendulum has been swinging toward accountability for those responsible for protecting information and access, exemplified by:
- Financial costs. While Wyndham avoided a Federal Trade Commission (FTC) fine, class actions suits and reputational harm are unavoidable consequences.
- Personal accountability. Gone are the days when cyber security was the IT department’s responsibility. It’s now the executive suite, and a significant data breach could cost them their jobs. The Target CEO and CIO were two that learned this lesson the hard way, and there have been more since.
One way to get clear of the pendulum swing is to be out ahead of it. While others may wait for forced compliance, you have the opportunity to do the right thing in terms of information security and become a role model for your guests and properties.
Acting proactively will pay dividends over the long-term. Just as the impact of cyber breaches are now quantified by lost revenue, reputational damage, and unrealized potential; cyber resiliency and due care will soon be quantified by market share, reputational fortitude and seized opportunities.
Mr. LeTellier has twenty-five years of risk management experience in the public and private sector. Prior to providing cyber security consulting to Fortune 500 firms and government agencies, Mr. LeTellier ran offensive and defensive intelligence, counterintelligence, and security operations as a CIA operations officer and station chief.
In the private sector, Mr. LeTellier has provided cyber security and operational subject matter expertise to the intelligence community. He has also created a cyber security unit that leveraged CIA human source and NSA technical expertise to provide holistic cyber security assessments, risk mitigation, and training. In addition, Mr. LeTellier has designed insider threat programs and has conducted vulnerability assessments of the nation’s largest port.
During his twenty-year career with the CIA, ), Mr. LeTellier served as Senior Operations Officer, Chief of Station (twice), Chief of Base, and Chief of Operations. He completed eight field tours in the Middle East, West Africa, and war zones leading traditional operations, covert action, and counterterrorism operations
Prior to joining the CIA, Mr. LeTellier served as a State Department Diplomatic Security special agent.
Mr. LeTellier holds an MBA, MS in Systems Management, BA in Political Science, a Certificate in Information Systems Security, and is a Certified Information System Security Professional (CISSP).