According to Identity Theft Resource Center’s “2017 Annual Data Breach Review,” the total number of reported data breaches in 2017 topped 1,579, or 44.7% higher than 2016.
Hospitality organizations remain a top target with business organizations, including hospitality, retail, trade and utilities, accounting for 55% of reported breaches.
However, whether or not the number of data breaches is increasing is a matter of some debate.
ControlScan contends that data breaches are not necessarily happening more frequently, but with modern reporting requirements, the public hears about them more often.
Sarah Clark, principal at One World Identity (OWI) a consultancy focused on trust and the data economy, agrees with this assessment. In the era of transparency, there’s been a measured increased in the number of data breaches, she says.
Sources interviewed by Hospitality Technology agree that more companies are disclosing when they are hacked. This is an about-face from a few years ago. Trustwave acknowledges that while in the past companies used to hide breach information, regulations now require disclosure.
Data breaches are not going away anytime soon, and in fact, are only expected to increase in number and in impact to the bottom line. Market analyst Juniper Research predicts data breaches will cost businesses more than $2 trillion by 2019, while research firm Cybersecurity Ventures estimates the cost at $6 trillion by 2021. Gartner Inc. forecasts enterprise security spending worldwide to top $96.3 billion this year, or an 8% uptick, thanks to increased regulations, awareness of emerging threats and increasingly digital business strategy.
Step One: Budget for Security
In the hospitality industries, enhancing payment/data security was named a top tactical objective for 33% of restaurants surveyed in Hospitality Technology’s 2018 Restaurant Technology Study and 28% of hoteliers surveyed in its 2018 Lodging Technology Study. With IT budgets hovering around 2% for most restaurants, according to HT’s research, it can be a challenge to earmark the appropriate amount of dollars for security when stacked against other initiatives.
Companies need to realize they’re going to pay for security — sooner or later, and Trustwave advises clients that it’s always more expensive if they wait until after a breach has occurred.
Security is about mitigating risk. It should also be about doing the right thing to protect your assets, including your customer relationships and their data.
There are a lot of products and services to help organizations of all sizes. Think about what you can tackle in house and what you should outsource. Organizations may not be able to afford $35,000 for a firewall, but they may be able to afford $60-$70 per month to contract with a reputable firewall provider.
Step Two: Identify Areas of Risk
Bad internal practices contribute to many data breaches. In August, Chinese hotel management company Huazhu Group Ltd. had a breach involving more than 240 million pieces of data — including credit card numbers, customers’ user ID and login pins for the company’s website. According to reports, the hotel’s database was accidentally uploaded to the Internet via Github, a service where developers can collaborate.
Up to 37 million customers of Panera Bread were the victim of a data breach. Compromised data included loyalty program numbers, names, birthdays and the last four digits of the customer’s credit card numbers. Panera was alerted about the data breach for nearly a year before it removed the web page that was leaking the data, reported KrebsOnSecurity.
In October, Vancouver, Wash.-based Burgerville revealed it had been the victim of a year-long data breach. Malware installed on Burgerville’s system scraped and stole thousands of customers’ credit card data. Ninety-three percent of the data compromised at hospitality POS systems involved payment data, Verizon said earlier this year. The FBI linked this data breach to Fin7, an international cybercrime group based in Eastern Europe that is believed to be behind data breaches at Chipotle, Chili’s, Arby’s and Jason’s Deli.
If companies want to avoid having their names in the next data breach headline, they should start by assessing what they need to protect and their areas of risk, working across departments to secure all aspects of their enterprise. Then provide the least amount of access required for staff and contractors to do their job.
As you’re doing your risk assessment, look at whether or not you need to obtain and store these data points in the first place.
Since the global rollout of EMV or chip cards, there’s been a shift from credit card fraud toward identity fraud, notes OWI’s Clark, with the majority of today’s data breaches involving personal identifiable information (PII).
Consumer protection, access and transfer of PII is a key component of the European Union (EU) General Data Protection Regulation (GDPR) which went into effect May 25. The regulation applies to all organizations doing business in the EU. Hospitality companies need to be aware of GDPR, and specifically its PII protections, stresses Clark.
“The spirit of GDPR, of individuals wanting rights over their data, this is something that will spread globally. (Hospitality companies) might as well work with these themes,” advises Clark.
Operators should look at where they’re storing PII, whether or not they need it, how to better secure it, and how to comply with a customer request to revoke his/her PII.
Step Three: Create A Multi-Layer Defense
Payment service provider Ingenico Group, advises its clients of all sizes to have a multi-layer strategy for security. A base approach should include point-to-point technology including point-to-point encryption (P2PE).
It’s imperative that companies get strong encryption practices in place for all types of sensitive data: including but not limited to payments, employee information, intellectual property, loyalty data, etc.
Breaches will happen even with firewalls and other best practices. When they do, the question is: Can anything useful be pulled out? “In only 4% of known breaches, data was useless because it was encrypted,” points out Clark.
Trying to break encryption is a time-consuming and expensive process. And with those two strikes, most hackers are out. Ingenico states the belief that most hackers are looking for the weakest link to gain access to systems and data.
Sources advise to use encryption, including tokenization, wherever possible to help reduce the impact of a data breach. For a small regional chain, the cost of a data breach could put them out of business not only because of the cost of monetary damages but also the damage to its reputation and its customer relationships.
Step Four: Budget for Security
Be sure you’re spending the time and resources to train staff on best practices. And make sure they’re aware of hacking techniques.
“Because work and personal lives is so seamless, you have to work on educating and getting your staff to use good practices, not only in the workplace but in their own lives as well,” says Russ Schrader, Executive Director, National Cyber Security Alliance.
Step Five: Be Aware
A good offense is a good defense, and employees who have access to systems should be aware of a variety of hacking techniques, including in-person and on the phone, from bad actors posing as contractors.
The tried-and-true technique of phishing is prevalent in email. There’s also smishing, a form of phishing that uses SMS text. Targeted phishing attacks include whaling that targets top level management, spear phishing attacks that target a specific individual within an organization, and watering hole attacks that target sites a specific group is known to visit. When there’s a breach at restaurants, most of the time its malware, says ControlScan. They’ve left a back door open in the network and someone opened a malicious email.
Bots are being used to launch Distributed Denial of Service (DDoS) attacks that attempt to make an online service unavailable by hammering it with traffic from multiple sources and SQL injections (SQLi) into an entry field for execution (for example, to obtain data such as personal information to resell on the dark web), says Akamai, a cloud security solutions provider.
Open WiFi is a prime hacking target. Hacking attacks on wireless are becoming more prevalent, says ControlScan, because public WiFis are not configured properly. WiFi should be physically segmented from the physical network so hackers can’t hop over to payment security. Ditto for IoT devices.
IoT and bring-your-own-device (BYOD) have similar implications. IoT devices should not be allowed to access other parts of the network because they’re easily hacked, sources tell HT.
Hackers were able to breach a network through an unnamed North American casino’s fish tank, which had temperature sensors connected to a PC, reported The Washington Post. The hackers were able to access the network through the sensors and sent out 10 GB of data to a device in Finland.
When it comes to IoT devices, good vendor management is essential. Be sure to look at what vendors are doing to build security into the product and how they plan to secure it on an ongoing basis, advises Trustwave.
“Every new device introduced increases the ability for a hacker to gain access to the store network and cause havoc to systems or data,” says Toby Malbec, principal at TWM Insight LLC.
Even with potential risks IoT devices are becoming essential in running an “orchestrated and integrated enterprise,” Malbec explains. Understand what’s on the network and how the IoT devices should behave “so when they misbehave, you know that there’s something wrong,” he says.
Step Six: Commit to Continued Improvements
Security is not a one-and-done endeavor. As an organization, you need to commit to ongoing investments, and that includes stress testing and in the case of a data breach, having a response plan in place. “You are running against very sophisticated and well-financed organizations that are targeting you,” says Schrader. “They’re working hard to come up with new ways to do it.”