by
Lynn Goodendorf
Mar 5, 2023

Cybersecurity Priorities for 2023 by Lynn Goodendorf-Spring 2023

There are many predictions and forecasts regarding the ongoing escalation of cybersecurity threats in 2023 on a global scale. Serious data breaches at large, reputable companies are being reported daily. An example related to hospitality was the Door Dash breach of personal data reported in August 2022, which impacted 4.9 million customers, workers and merchants. This breach resulted from a targeted phishing attack on a third party of Door Dash. In view of this ongoing trend of attacks, what initiatives should hospitality companies take? Here are three recommendations for 2023 priorities.

Cybersecurity Priorities for 2023 by Lynn Goodendorf-Spring 2023

by
Lynn Goodendorf
Mar 5, 2023
Security
Share

There are many predictions and forecasts regarding the ongoing escalation of cybersecurity threats in 2023 on a global scale. Serious data breaches at large, reputable companies are being reported daily. An example related to hospitality was the Door Dash breach of personal data reported in August 2022, which impacted 4.9 million customers, workers and merchants. This breach resulted from a targeted phishing attack on a third party of Door Dash. In view of this ongoing trend of attacks, what initiatives should hospitality companies take? Here are three recommendations for 2023 priorities.

1. Start work now on compliance with the new PCI DSS version 4.0.

There are over 50 new requirements in the latest version of the Payment Card Industry Data Security Standard (PCI DSS) version 4.0, which takes effect April 1, 2024. The deadline for most changes is March 31, 2025. This signals a clear acknowledgment that the new requirements will require time to plan and implement. A few examples include:

Expanded multi-factor authentication requirements.Increased password length.New e-commerce and phishing requirements.

Although the PCI DSS is a set of standards that ensures contractual compliance with credit card issuers rather than governmental regulatory compliance, it is a globally recognized standard. Not meeting and maintaining it carries financial liability. In addition, card data is highly targeted by organized crime using multiple and varied attack methods, making this a high risk for everyone in the hospitality business.

One positive note about the new version: In Section 13 of PCI DSS v.4.0, “Additional References,” you’ll find a table of external organizations referenced in the new requirements. This integration of other standards boosts thePCI Security Standard’s value and significance because it incorporates and acknowledges relevant elements from other recognized standards such as the Cloud Security Alliance, Center for Internet Security, and the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST). This demonstrates the PCI Security Council’s commitment to best practices and not some extreme or unique set of requirements that are applicable only to card data.

2. Focus on Cloud Security

In the hospitality industry, the rate of cloud migration has continued with the use of both public and private clouds. Multicloud strategies are the norm. This increased dependence on cloud systems and services translates to higher security vulnerabilities not adequately considered during rapid implementation.

Along with that, the transition to cloud systems initiates changes to past operational processes and resources designed for on-premise environments. This, in turn, requires new skills, tools and changes in procedures. These steps can improve protection of data stored and transmitted via cloud services:

Conduct a cloud security gap assessment: Developing a baseline assessment of your current state is always a practical and valuable place to start. Cloud security standards you can use to conduct an assessment include:

  • NIST publication: SP800-210, which can be used to identify challenges in Software as a Service (SaaS), Platform as a Service (PasS) and Logging as a Service (LaaS). This standard is also a resource for formulating strategies and accessing control designs.
  • International Standards Organization (ISO) 27017 applies to cloud service providers, includinganycloudsystemsprovidedbyfranchisorstofranchisees. Adherencetothis standard is a respected way to lower risks in a cloud environment. If your company is a customer of a cloud service provider, you’ll want to make sure you meet this standard as part of your third party risk management.
  • Cloud Architecture Frameworks published by AWS, Azure and Google can help you analyze and review cloud platform security, in addition to considering performance, cost efficiency and compliance.

A final note on cloud security: As you plan this type of assessment, be sure you have well qualified people in cloud security, whether you use internal or external resources.

Provide formal cloud security training for internal staff: One of the best investments in your overall cybersecurity program is to provide ongoing training to your internal staff. These are the people with day to day visibility into and knowledge of your business activities, as well as the technology supporting them. Equip them well with solid ongoing training. There are four recognized leaders offering cloud security training and certifications:

  • Cloud Security Alliance (cloudsecurityalliance.org), which offers a Certification of Cloud Security Knowledge (CCSK), as well as free research papers,userforums,etc. This is an excellent resource overall to help you stay informed.
  • CompTIA (https://www.comptia.org) offers a CompTIA Cloud+ course and certification. This is a more basic level of training and is appropriate as a first level of cloud security knowledge.
  • SANS Institute (https://www.giac.org/focus-areas/cloud-security/) offers certification in five specialized and advanced cloud security courses: Cloud Security Essentials, Cloud Security Automation, Cloud Threat Detection, Web Application Defender and Public Cloud Security.
  • ISC2’s Certified Cloud Security Professional (CCSP) certification requires:    

* at least five years of paid work experience in IT    

* at least three years of which must be in information security    

* at least one year in one of the ISC2 cloud knowledge domains

The certification is vendor agnostic and has a high level of credibility for application to real world situations. This is a preferred certification for someone with management responsibility for cloud security.

Investigate new security tools and techniques to manage multicloud environments: As mentioned earlier, the migration to cloud systems presents the need for new skills, tools and changes in procedures. Key areas to evaluate include: governance, provisioning and access controls and cloud management tools. You should also review disaster recovery plans for a major outage or failure in a cloud service.

The marketplace encompasses a broad spectrum of new technologies and tools. We can expect these to evolve and change. With this in mind, conduct a thorough evaluation and testing before you buy new products and avoid long term contracts. But don’t let this hinder you from stepping out to obtain tools and techniques that will reduce risks.

3. Measure & Report Security Processes for IT Operations

One of the most effective ways to make sure you’re carrying out critical and fundamental security processes is to set up metrics that get reported to C-level executives on a monthly basis. An added bonus: You can the reports to support audits and demonstrate proper governance. Examples of essential security procedures that IT normally manages include:

Vulnerability scanning and patchingProvisioning and decommissioning of computing devices such as laptops, tablets, mobile phones, etc.Configuration management for servers, firewalls, etc.Executing backups and periodic testing of the restore procedureMonitoring application whitelisting and anti-virus e.g. counts of blocked malware, removal of malware, etc.Implementing changes to privileged access. Maintain a list of all persons with privileged access including name, job title and location.

Lynn Goodendorf is a cybersecurity expert whose previous roles include group information security officer with the Mandarin Oriental Hotel Group and corporate risk and chief privacy officer with IHG. She currently serves as vice president of the Information Systems Security Association's (ISSA) Metro Atlanta chapter.

Lynn Goodendorf is a cybersecurity expert whose previous roles include Group Information Security Officer with Mandarin Oriental Hotel Group and Corporate Risk and Chief Privacy Officer with IHG. She currently serves as VP of the Information Systems Security Association's (ISSA) Metro Atlanta chapter.

ARTICLES BY THE SAME AUTHOR

Let's Get Digital

7 Questions to Ask Before You Invest in a Hotel Mobile App

DOWNLOAD

Make a Better PMS Choice!

Not all properties are ready for PMS in the cloud. The good news is, at Agilysys it’s your choice on your timing. State-of-the-art leading PMS in the cloud or on-premise PMS. Either way we say YES.

DOWNLOAD