As seen on Hospitality Technology.
With the average cost of a data breach reaching nearly $3 million in the hospitality sector, industry organizations cannot afford to take a passive approach to defense.
In one cyber-attack, a major U.K.-based international hotel group’s online booking system suffered an outage in September that lasted several days – just a month after the company was targeted in what appeared to be an unrelated ransomware attack.
In another attack, hackers posted online private data related to 1,500 employees and 2,500 guests of an Oregon resort in June – including hotel reservation dates, dates of birth and Social Security numbers.
Because of these and other incidents, more than one-half of hospitality IT leaders cite security as one of their C-suite’s top three business concerns. When asked to list what concerned them the most, they ranked operations downtime #1 (as cited by 56 percent of the sector’s IT leaders), followed by brand reputation damage (50 percent), loss of intellectual property/data (49 percent) and revenue loss (31 percent).
With the average cost of a data breach reaching nearly $3 million in the hospitality sector, industry organizations cannot afford to take a passive approach to defense, i.e., investing in firewalls and additional traditional tools in attempting to “seal the walls” around the perimeter.
For starters, there is no traditional perimeter anymore and this reality especially applies to hospitality: Hotels, restaurants and other industry organizations are spread throughout the globe, with guests, transient workers and contractors routinely gaining access to the network – therefore opening up opportunities for cyber criminals to find an opening for a compromise. (Yes, these criminals will find a way inside your corporate network by cracking into guest network access/activity, and using scanners to find vulnerabilities.)
there is no traditional perimeter, traditional protection no longer suffices. Instead, you need to incorporate what’s called applied threat intelligence into your cybersecurity strategies. Threat intelligence serves as a core component of Zero Trust, which assumes all network traffic is not trusted until you determine that it is via optimal identification, authentication and authorization processes.
This level of defense requires the following threat intelligence-focused capabilities and practices:
Declare “no vacancy” for bad guys. On average, attackers spend 207 days inside of networksbefore security teams identify the breach. That means they get to spend nearly seven months doing whatever they want – moving laterally within to poke around at financial records, proprietary data, customer information, etc. – without anyone even realizing they’re inside. This is entirely too much time for them to “case the place” and hatch schemes to do the most damage possible.
That’s why hospitality organizations must establish the continuous and uncompromising blocking of these criminals. If you consider a breach as a “boom” moment – the bad guys dropped a big bomb on your network/operations/digital assets – then there is a “before boom” and “after boom” part of the timeline. Unfortunately, companies spend far too much time and money on the “after” part (containing the breach and dealing with the costly fallout) and not enough time in the “before” part to keep adversaries out before they can do any harm. So, you have to invest in tools which are proven to identify all known adversaries and block them without fail, no matter how cleverly they disguise themselves.
If they’re already in, then don’t let them out. Even if a threat somehow gets in – perhaps it’s a brand new, “unknown” one, or through a “side door” such as an employee clicking on a malicious link in a convincing email – you should command the capability to detect suspect activity and then stop it from “getting out” to communicate with the threat actors perpetrating the attack. For too long, security teams have allowed attackers to roam as they pleased so they could observe them and attempt to learn something about their intent and modus operandi. But this tactic isn’t working. You need to focus instead on identifying them and then shutting them down before the “boom.”
Gain C-suite and board commitment. Chief information security officers (CISOs) typically shoulder the responsibility of cyber defense. But, among leadership, they can’t go at it alone. Because of the all-encompassing and potentially devastating nature of threats, the C-suite and board of directors must “own” security too, so they acquire the needed knowledge while supporting the vision of their CISOs. (The U.S. Securities and Exchange Commission, in fact, is proposing that companies include their board’s oversight of cyber risk as part of their governance capability disclosure, as well as a sense of management’s role in implementing protection policies, procedures and strategies.)
In concept, applied threat intelligence is not entirely new for the hospitality sector: Hotels, after all, are not required to accommodate people who are known to destroy property and break into the rooms of their fellow guests and rob them.
Similarly, industry organizations do not have to allow criminals to set up residence inside of their cyber environment for literally more than half a year. By committing to zero trust-supporting threat intelligence, CISOs and their teams keep the bad guys out while shutting down those who somehow still get in. And that means adversaries will eventually stop trying and look for another victim’s place to “check in” without a reservation.