In hospitality and gaming, we collect data on our customers to provide the best possible service. The benefits of increased revenue through guest satisfaction and add-on sales are a win-win for both the company and the customer. Collecting and holding customer data represents a clear responsibility of privacy and security we owe to our customers. This is not just a government requirement though that may exist. It is about guest trust and loyalty.
Cybersecurity has become a major issue for IT staffs worldwide. The recent Fortinet cybersecurity 2022 report listed more than 10,000 ransomware variants seen or discovered in just the first six months of 2022. That’s double the previous six months. The August Blackhat conference revealed vulnerabilities in popular software we use on our networks, such as Zoom, in addition to issues with 5G hardware. The set of vulnerable points, or attack surface, increases with every device, software, and user added to your systems. And with an ever-increasing surface, the probability of a cybersecurity event occurring increases.
Hotels, casinos, restaurants, spas, and all the services rely on technology and information that needs to be secured. Each company deals with cybersecurity differently – some with teams of more than 20 cybersecurity professionals and others relying on vendors or a managed service provider (MSP). Cybersecurity is a team effort and the more resources your team has, the better prepared you are to secure and recover from an attack.
CURRENT CYBERSECURITY ENVIRONMENT
Another recent report showed that in most cyber issues, hackers have been in the systems for at least 30 days before they are discovered. Many hackers are in systems for months before launching an attack. Some companies may NEVER realize they were hacked and data exfiltrated from their systems. All this emphasizes the need for constant monitoring and review.
The most probable attacks occur from a lack of cybersecurity hygiene. This includes IT not updating software with known vulnerabilities and users becoming unknowing victims to bad actors. Messages that look legitimate but attempt to trick the user into downloading software or giving up information (phishing). Phishing accounts for at least 50% and as high as 91% of cybersecurity events. And bad actors have gotten much better at deception than those emails with misspelled words from a government official in Africa. They can also come via SMS, Twitter, WhatsApp, and other messaging services.
IT departments are working harder than ever to secure information. Global cybersecurity expenditures in 2022 are estimated to be between $150 and $350 billion, depending on how cybersecurity is defined. This number is about 10 times what it was 10 years ago and 100 times what it was 20 years ago. While these are large numbers, it is a fraction of the cost of lost data, intellectual property, or the cost of recovery. The cost to a brand's public image can be quite large.
As cybersecurity incidents have grown, so have the resources available to secure systems and stay updated. Security frameworks are available to plan and audit your cybersecurity infrastructures. Software for managing corporate PCs and devices has become more economical and easier to deploy. Traffic monitoring is being built into firewalls and routers to detect where outbound data is going. And while more environments are taking advantage of these, some are still not deployed as widely as they should. And, information sharing about best practices and current threats is not as prevalent as it needs to be.
CYBERSECURITY RESOURCES
Numerous resources are available to support IT staff in their cybersecurity endeavors. The Hospitality Upgrade website cybersecurity section will have a collection. There is also an Information Sharing and Analysis Center (ISAC) focused on hospitality and retail that I would recommend to every organization in our industry. The National Institute of Standard and Technology (NIST) cybersecurity site publishes information on cybersecurity including a resource center and security framework. The NIST Cybersecurity Framework is a standard worldwide assisting organizations in evaluating and implementing an overall security plan. Most hoteliers are familiar with PCI as a security framework that focuses only on payment card transactions. SOX and SOC2 are also specific subsets. The NIST framework covers all IT with standards, guidelines, and best practices applicable to every organization. Other general frameworks include ISO 27001 and the SANS CIS controls.
Frameworks are a good source to assess risks. Risk assessment begins with a reference framework to list operational assets, prioritize threats, and review how each critical asset could be affected. Beginning with an inventory provides a reference to prioritize what resources need protection.
Staying current on vulnerabilities, especially zero-day ones, requires vigilance from both the infrastructure and IT staff. There are many email lists, Twitter handles, and slack channels to follow to get up-to-date information about vulnerabilities. Check the HU website for updates, suggestions, and links.
The Cybersecurity & Infrastructure Agency (CISA) is a good general source for information with alert notifications. Fireeye is another trusted resource. Both are free.
Visit sites such as Digital Attack Map, Fireeye Threat Map, and Talos Threat Map for current activity and the level of threat and vulnerabilities faced by organizations every day.
RH-ISAC
Threat Intelligence is the knowledge and experience gathered about past, current and future cybersecurity threats, and bad actors. The industry has grown to accept that sharing threat information goes beyond proprietary and confidential information resulting in multiple Information Sharing and Analysis Center (ISAC) organizations worldwide. The Retail and Hospitality ISAC is a membership group with roots in HTNG. Several hoteliers started sharing security information and best practices which grew and were merged into the retail ISAC to expand its abilities and reach. With industry-specific systems such as property and casino management systems, sharing information with peers is an efficient use of time.
MANAGED SERVICES
A 24/7 Security Operations Center (SOC) is valuable given the nature of 24/7 hospitality. Most organizations rely on their onsite equipment exchanging data with a vendor subscription for alerts. Others outsource to a managed services provider as a trusted focused partner to manage security. The practice of a virtual chief information security officer (vCISO) is becoming more common. This allows access to a seasoned professional and team that would be cost-prohibitive for small organizations.
Some software and hardware vendors are providing cybersecurity services for their specific products. Both cloud and onsite versions of several popular industry products have alerts either baked in or as an added service from the vendor's security team.
INCIDENCE RESPONSE AND RECOVERY
While every organization works to have no incidences, the odds are against it. In this connected world, the risk of some type of cyber incidence is high, especially in our customer-focused industries. From personal experience, it is important to document the incident, the systems affected, and the time and resources it took to recover. In addition to being a learning tool, this helps should you have cyber insurance to assist in the cost of recovery. Cyber insurance has become a necessity with other insurance the company carries. Having a security framework and documentation can reduce your cost of cyber insurance.
Cybersecurity is an operational expense that is required for safe operations but adds little value directly to customers. Determining the best balance of risk vs expense has become a constant battle. As monitoring and defensive technology improve with more resources available, it is important to stay current in both technology and events happening in the industry. There are a wide variety of resources available, and it is the responsibility of every IT department to stay vigilant. We owe that to our customers.
