by
Rich Siegel
Oct 13, 2023

How Much Should You Spend on Cybersecurity in 2022?

Reliable intel is valuable in strategic planning because it puts us in a position to set priorities on defense measures. Verizon’s 2023 Data Breach Investigations Report, available at no cost, provides a wealth of information that has been thoroughly analyzed and concisely presented. It includes specific analysis for the accommodation and food services sector and a section devoted to small and medium businesses. This article describes highlights as they relate to hospitality.

How Much Should You Spend on Cybersecurity in 2022?

by
Rich Siegel
Oct 13, 2023
Cybersecurity
Share

Reliable intel is valuable in strategic planning because it puts us in a position to set priorities on defense measures. Verizon’s 2023 Data Breach Investigations Report, available at no cost, provides a wealth of information that has been thoroughly analyzed and concisely presented. It includes specific analysis for the accommodation and food services sector and a section devoted to small and medium businesses. This article describes highlights as they relate to hospitality.

The term “intel” is often used in a military context. It’s relevant to cybersecurity, because we’re defending our information assets from multiple attackers. Knowing everything we can about our adversaries and their battle plans, resources, and methods gives us a strategic advantage. It puts us in a position to set priorities on defenses that are most likely to thwart attackers.

One of the best sources of intel for cybersecurity strategies is the 2023 Verizon Data Breach Investigations Report, available at no cost. This annual report collects data from a wide spectrum of sources, including law enforcement and government agencies, cybersecurity research teams, cybersecurity technology firms, and data breach disclosure reports. It applies to four global regions: Asia Pacific (APAC); Europe, Middle East, and Africa (EMEA); Latin America and the Caribbean (LAC); and North America (NA).

This year’s report contains a thorough analysis of 16,312 incidents (defined as a compromise of data integrity, confidentiality, or availability) and 5,199 confirmed data breaches. I’ll touch on some highlights in this article, but I encourage you to read the entire report.

WHO’S ATTACKING – AND WHY?

The first question most of us ask is who is attacking us? The analysis shows that 93% of the breaches in our sector come from external adversaries, with organized crime at the top of the list. What’s their motivation? Financial reasons are by far the main driver in 94.6% of overall breaches. In our sector, accommodation and food services, they account for 100% of attacks.

Hospitality sector targets include specific data types. Knowing this helps us to prioritize our prevention efforts. The number one target is card data, which accounts for 41% of the attacks. Not far behind are credentials, or login details, at 38%. Personally identifiable information (PII) is also highly desirable and represents 34% of the attacks. This implies that credentials are being targeted as a means of accessing either card data or personal data.

Another useful part of the report relates to the type of attacks. In hospitality, 90% of attacks used one of these primary methods:

System intrusion is dominated by ransomware and malware. These attacks typically pair automation with one of two methods:

  • PHISHING: Attackers send emails that prompt you to click on a link and provide information. Maybe they ask you to update your password or change a vendor’s or employee’s bank account number.
  • PRETEXTING: This involves the use of stolen credentials to gain initial access. Once inside the system, attackers use high level hacking skills to leverage vulnerabilities and move toward the target data. You get a message that appears to be from a company executive, a team member, or perhaps a manager. The attacker attempts to persuade you to take some action, perhaps some routine task, that will make their scheme successful. The median amount stolen from these types of attacks has increased to US $50,000.

Key defenses for system intrusion include:

  • Security awareness training
  • Continuous vulnerability management
  • Malware defenses (such as application control or whitelisting and anti-malware)
  • Data backup recovery processes

Social engineering is running on email in 98% of the cases analyzed, and includes phishing, which accounts for 44% of attacks. and pre-texting, which is now more prevalent than phishing.

Security awareness training is a critical defense to combat social engineering. You should pair it with multi-factor authentication for account access and an account management process that disables dormant accounts and maintains an up-to- date inventory of authorized user and service accounts.

Basic web application attacks exploit coding errors to go straight into a database. In the hospitality sector, cloud services with application coding developed by a small team that isn’t well trained in secure coding are particularly vulnerable. It’s a dismaying reality that many software developers don’t pay attention to secure coding and the same basic attacks have continued for years. No matter how secure your infrastructure and networks are, attackers can easily get to target data through these basic web applications.

HOW TO LOWER YOUR RISK

A good resource for ways to lower these risks is the Open Web Application Security Project (OWASP). The OWASP Foundation tracks and identifies the most common coding errors and publishes a list of Top Ten Web Application Security Risks. See https:// owasp.org. Testing and buttoning down the coding errors on this list provides a huge defensive advantage.

If you look at the broad picture of breaches, 74% include a human element. This is significant in hospitality – our culture of being helpful and courteous works against us when it comes to social engineering.

Each of the three major types of attacks occurring in hospitality can be mitigated with either skills training for web developers or security awareness training for end users. Finance and customer service departments are favorite targets. Specialized awareness training is available for those groups.

SMALLER BUSINESSES HAVE DIFFERENT NEEDS

The report also addresses small and medium size businesses (SMBs). The types of attacks they face are essentially the same as those in the larger hospitality universe: System intrusions, basic web application attacks, and social engineering. The difference is the degree to which a lack of resources hampers their ability to respond.

The Verizon report includes excerpts from the Center for Internet Security (CIS) that provide guidance for small and medium size companies. (See CIS Critical Security Controls at cisecurity. org). This is also a free resource that you can download and use.

CIS recommends that small businesses focus on three top risk controls: security awareness and skills training, data recovery, and access control management. Mid-size companies should address three more controls: incident response management, application software security and penetration testing.

The Verizon report also contains an interesting development related to virtual money. It notes a sharp increase in breaches involving cryptocurrency compared to last year or 2020, when only one or two cases were reported. Although this isn’t a current issue in hospitality, it’s worth noting for future reference.

Other reliable and useful sources of intel for cybersecurity include:

  • SANS NewBites, a free publication delivered twice a week by email. It features an executive summary format with comments by subject matter experts in the SANS -- sysadmin, audit, network, and security -- community.
  • Threat Intelligence | Symantec Enterprise Blogs (security.com). This blog offers more technically oriented information and describes specific activities, but it consistently provides current information.

Social engineering is running on email in 98% of the cases analyzed, and includes phishing, which accounts for 44% of attacks and pre-texting, which is now more prevalent than phishing.

Lynn Goodendorf is a cybersecurity expert whose previous roles include group information security officer with the Mandarin Oriental Hotel Group and corporate risk and chief privacy officer with IHG. She currently serves as vice president of the Information Systems Security Association's (ISSA) Metro Atlanta chapter.

Let's Get Digital

7 Questions to Ask Before You Invest in a Hotel Mobile App

DOWNLOAD

Make a Better PMS Choice!

Not all properties are ready for PMS in the cloud. The good news is, at Agilysys it’s your choice on your timing. State-of-the-art leading PMS in the cloud or on-premise PMS. Either way we say YES.

DOWNLOAD