Cybersecurity Tips for the Hospitality Industry
The hospitality industry has been rife for cyber-attacks and has experienced many notable breaches in the last few years. The months during the pandemic have seemed to amplify cybersecurity issues, businesses have been more driven to find some cyber security consulting services to evaluate the necessity of the safety of their online data and assets. There has been a large increase in cyberattacks, including the targeting of private industry networks through various means. Cybercriminals and nation-state actors are using the pandemic as an opportunity to orchestrate cyberattacks through a variety of means, e.g., targeting networks, devices, and staff as a means to gain entry into networks. These cybercriminals have been known to bring down companies for extended periods.
As a result, it’s important to take a fresh look at cybersecurity to evaluate the safety of the network, systems, and data. Here are some items that can be integrated into a company’s IT policies to increase cyber security:
Implement multi-factor authentication. This is an authentication method that requires computer users to provide multiple pieces of information to log-in to a system, program, or website. The use of an application that will send an alert, requiring action (acceptance) to a mobile phone is a common way to utilize multi-factor authentication.
Adopt a passphrase over a password policy. it is more important to adopt a passphrase consisting of 16 characters or more, rather than a password. A passphrase does not have to be overly complex; but should consist of letters (upper and lower case), numbers and some symbols. User passphrases should to be unique to the workplace and not used in conjunction with personal accounts, e.g. personal email accounts, social media, shopping, etc.
Require employees to lock their computers when not in use. You can update administrator settings to make computers lock with a short time-out screen saver lock to aid users in remembering to lock their computers.
Do not allow USB devices to be inserted into company computers. USB flash drives are a common tactic used by cybercriminals to gain access to systems and networks. Use of these devices creates a significant risk of introducing malicious programs and giving outsider access to a company’s systems. For example, hackers visit office locations and even residential homes and intentionally drop USB flash drives in parking lots, walkways, etc. where they will be noticed and picked up. Inquisitive people will insert these devices into their computer which is enough for customized malware to execute and create backdoors in computer systems and networks. A decent hacker coding malware is often not picked up by traditional anti-virus software. This could cause debilitating damage, loss of confidential data, privacy intrusions, including activation of web cameras and microphones, etc. Materials obtained, utilizing methods such as these, have been used for extortion purposes. Executives, as well as any staff member, are vulnerable to these methods utilized.
Require employees to forward suspect e-mails to your IT Department. Phishing e-mail scams are occurring in abundance. The sooner the IT Department is aware of any issues, the sooner they can investigate it and hopefully prevent someone else from falling for the scam. Another layer of protection is to not download images or set systems to automatically download pictures in HTML email messages.
Update your Windows Operating System. As of the beginning of 2020, Windows 7 Operating System is no longer supported by Microsoft. If Windows 7 is still in use, the company’s operating system is no longer being updated with security patches and, as a result, is very vulnerable to cyber-attacks.
Review and update firewall configurations. It is possible that there are security holes in the firewall if it has not been configured recently. Firewalls are predominately the first line of defense to keep networks and devices safe, but the configuration should be reviewed regularly for any issues. A firewall is only as good as it’s configuration, rulesets, and maintenance.
Conduct a business continuity assessment and cybersecurity assessment. A backup failure in the event of a cyberattack could be catastrophic to a company’s ability to continue or resume operations. Performing a business continuity assessment can identify potential problem areas in the event of a security breach or other event. A cybersecurity assessment can identify security risks within a company’s systems to help defend against a potential attack.
Conduct incident response exercises. Conduct incident response exercises via a 3rd party accessor that reports to the legal department and/or the CEO for unbiased results.
Protect customer data from credit card fraud and prevent stolen personally identifiable information (PII). PII data is the ‘new credit card data’. Consider protecting PII data with the same and/or similar security controls as would be used for payment card industry (PCI) data. To help keep customer data safe, even in cases where criminals manage to compromise systems, hospitality company operators should keep PII, financial data and POS information separate from all other data stored internally. Choosing a reliable payment processing partner with leading-edge technology may help mitigate the threat to credit card issuers and cardmembers. Finally, as a precaution, businesses who use credit card point of sale (POS) machines to process data should frequently search for malicious devices on POS terminals and swiping equipment.
Ultimately to better protect a business and be in line with recent regulatory laws such as the General Data Protection Regulation (GDPR), CCPA, etc., organizations should collect the least possible amount of PII on customers, have a clear purpose for each data element, and make sure to always keep data encrypted and safeguarded, both in transit and at rest. The following are some safeguards to protect the data and the company:
- Ensure firewalls are secure
- Store data in secure locations on servers
- Make sure only the minimum data needed to market to your customers is taken and keep the data encrypted
- Talk to tax and legal advisors about how to reduce your risk in these areas
There are many ways to increase cybersecurity for hospitality companies. The ideas above are a few ways to get started. The human firewall, however, is one of the most important aspects of a good cyber security policy and can be implemented immediately and with little cost. A human firewall is the well-trained employees that help to secure the network and protect the business, and it is the first line of defense against cyber criminals.
The external perimeters of the business environment have significantly changed due to COVID-19, cloud architectures, edge computing, and a highly distributed workforce. However, some things never change, i.e. the ‘internal’ environment must have equal, if not greater, security than the external environment. Internal impacts have been among the biggest damage caused to organizations. Having appropriate oversight of the inner perimeter is critical, since it is employees who handle day to day confidential data and systems.
ABOUT WITHUM
Withum is a forward-thinking, technology-driven advisory and accounting firm, committed to helping clients in the hospitality industry be more profitable, efficient and productive in the modern business landscape. For further information about Withum and their cybersecurity, digital advisory and hospitality services teams, contact Lena Combs (LCombs@Withum.com) at (407) 849-1569, or visit www.withum.com.