Security breaches are becoming a regular occurrence and it isn’t just happening to big retailers—the hotel industry is a prime target for cyber criminals. Why? The abundant and large amount of customer information hotels capture on a daily basis. Hotels can be a source for a wide range of information on individuals, from credit and debit card numbers, home and email addresses, driver’s license and in some cases, medical history.
According to Verizon’s 2014 Data Breach Investigations Report, there were 212 security incidents in the accommodations sector in 2013, with confirmed data losses in 137 of those incidents. Seventy-five percent of incidents in this sector were classified as point-of-sale (POS) intrusions.
With the Wyndham incident, we’ve seen firsthand that the financial consequences of a data breach can be significant and often, catastrophic. So what can you do to ensure to avoid this happening to your business? Consider these five tips as a starting point for protecting your networks and customer data.
1. Know your assets. To protect assets, you must first understand what information hackers are out to get, why and through which avenues they could gain access. This information goes beyond just credit card numbers, and includes personal information you’ve collected such as a driver’s license number or home address.
2. Put security first. Focus on security first and not regulatory compliance. This may seem counterintuitive, but compliance mandates such as PCI DSS and others are simply a way of testing a company’s security posture. Businesses should take a top down approach. Secure customer information and the remaining items to meet compliance standards are minimized. These standards are based on security best practices so by implementing them, compliance requirements are effectively addressed by default. Of course, there will be remaining areas that need to be addressed such as physical security of assets and employee issues. However, the network will be largely secured, leaving more time and resources to address the remaining aspects of the security program.
3. Leverage available tools. Businesses often underutilize third-party vendors and online resources. A great example of this and a largely underutilized tool is the security policy builder offered by most merchant services providers. If you accept credit cards, you are required to submit a yearly self-assessment questionnaire (SAQ) through your service provider. In most cases, tools such as policy builders, employee awareness training and many others are offered as part of a PCI SAQ package. Too often, businesses rush through the questionnaire process to get certificate of compliance. That’s not security and hackers could care less about it. Instead, look around your provider’s website and take advantage of the tools they offer. They were developed around strong security measures and practices, and will elevate the security posture of any business regardless of size.
4. Understand the technical proficiency your IT and/or security staff. This can be a bit of a sore subject, but the reality is that not all IT personnel are really good at security. In fact, the same can be applied to some certified security personnel. Often, they do not “practice” security on a daily basis because they double as the IT person and are busy keeping desktops, printers, and wireless devices operational. Guess what? Hackers do practice their craft every day and they see weak security posture as a challenge that needs to be conquered.
Any company is limited by its resources and IT/security is no exception. Make a plan to discuss security with your staff. It’s rare to find technical personnel who are willing to openly state they need help in their area of expertise.
5. Consider managed security services. Look to outsourcing critical security functions to managed security services providers (MSSPs). MSSPs are a great way to extend security resources without the capital outlay that accompanies a do-it-yourself approach. Consider this: beyond just investing in the hardware and software, it’s going to cost roughly $500K per year just to staff a security team because vigilance must be around the clock, every day of the year. This assumes security resources willing to work at this rate are available. By focusing on the steps above and realizing what cyber assets need to be protected, what compliance mandates are required and existing IT/Security limitations, it’s easy to come up with a list of “must haves” when looking for a provider.
About the Author
Gregory Grant is the senior director of sales and business development at Phoenix Managed Networks, the provider of PhoeniXSentry, a cloud-based network security service; www.phoenixmanagednetworks.com.