• Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Posts Tagged :

Netwrix

Guest Blog – Dr. Alex Vovk, Ph.D: 3 ways to improve hospitality data security…

800 450 Jack Wynn

The hospitality industry is a magnet for cyber criminals. Hotel chains have global networks, large workforces, as well as complex and often decentralised IT infrastructures. On top of all this, they regularly store and process high volumes of personal and financial data. This data can include customer credit card details, names, driving license numbers, addresses, passport numbers, phone numbers and other personally identifiable information (PII).

When these documents end up in the wrong hands, the regulatory, financial and legal consequences can be crippling; not to mention the reputational damage that you simply cannot afford in such a competitive industry.

This is why securing the integrity of customer and other business-critical data is a top priority in the hospitality trade.

Although the hospitality industry is similar to retail in many ways, it has been slower to adopt advanced security solutions.

Many large hotel chains — Trump, Hilton, Hyatt, Starwood, Mandarin Oriental and others — have recently disclosed problems with cyber-attacks. In many cases, the exact number of records breached has not been made public, nevertheless the overall impact has to be significant.

Despite the breaches, many hospitality businesses keep making the same basic security mistakes. Here are the main steps they can take to reduce the risk:

1: Data security applies across the board

Many smaller hotels operate as franchises or small independent businesses. Often data security is not as high on the agenda as it should be. In some cases, they do not comply with recommended industry security standards, or have IT security teams or even use basic data protection tools.

Actions

  • The reputation of the hospitality trade can only be improved if establishments take responsibility to protect customer PII seriously right across the board. This includes educating employees and adopting the right technology.
  • Compliance with the PCI DSS standard is the bare minimum required. Other essentials are a firewall, regular system updates and patches, encryption, a strong password policy, PCI-compliant applications and POS systems, restricted access to POS computers, and anti-virus, anti-spyware and anti-malware software.
  • IT systems also need to be regularly tested and assessed for vulnerabilities. When vulnerabilities are discovered, they need to be fixed immediately.

2: Insiders can be the biggest cyber security risk

Insider misuse is all too common in the hospitality sector. Contributing factors include high staff turnover rates, lack of appropriate security training, easy access to customer payment data, and lack of adequate controls and user behaviour monitoring.

According to Netwrix’s own 2016 Visibility Report, 65 per cent of organisations across various industries lack visibility into user activities in their corporate networks.

Insider wrongdoing does not always result in a massive data breach. It can take the form of a few individual thefts or many small thefts over long periods of time.

The overall outcome is the same as for external attacks: lasting damage to customer perception and lost trade.
Actions:

  • No matter how much you trust your workforce, make sure access to sensitive data is restricted to individuals who need it to perform their daily duties.
  • Monitor user activity — including privileged users – to see if they have tried to access critical files.
  • Follow up any suspicious activity, such as multiple failed access attempts, because they could be a sign of insider misuse or hacking of user accounts by attackers.
  • Implement a strong password policy.

3: Do not outsource everything

The hospitality industry is a highly competitive one that is always on the lookout for ways to cut costs.

It is hugely tempting to outsource parts of IT to external cloud services, and benefit from reduced hardware/software development costs and eliminating the need to retain a 24/7 in-house IT department.

But organisations who transition their business-critical data to a third party often forget to put strong security controls in place. For example, the 2016 Visibility Report found that as many as 75 per cent of organisations from various industries have no visibility into what is happening to their data in the cloud.

Actions

  • Before outsourcing any sensitive data to the cloud make sure that data will be remain secure in its new environment.
  • Carefully vet the cloud provider, holding them to the same standard as your internal security policies.
  • Also implement user behaviour monitoring, strong multi-factor authentication, remote session monitoring and advanced encryption.
  • Unless you have these security measures, you are not ready to move your critical data to the cloud.

In summary, hospitality businesses are responsible for all of the customer data they collect. Inevitably, this is a challenge, but there is no need to reinvent the wheel; numerous standards, solutions and best practices are available to help.

A lot of security mistakes happen because changes and anomalies in the network have gone unnoticed.

Use tools that help you stay aware of any abnormal or malicious activity in your IT network and in the cloud. Only by having clear insight into what is happening can you detect threats, minimise the risk of data exfiltration and secure your most valuable assets.

 

Dr. Alex Vovk, Ph.D has gained an impressive 15-years’ experience in software expertise, leadership and operational management. Prior to Netwrix, he worked at Aelita Software, where he served as the architect for the company’s key technologies. Dr. Vovk holds a master’s degree and a Ph.D in information security.

Guest Blog, Dr. Alex Vovk: Facing up to the threat insiders pose to organisations…

800 450 Jack Wynn

Building a robust and effective information security system is a never-ending process. One area that needs further promotion by security professionals is that not all enemies come from outside; rather, an attack may just as easily come from one of your most trusted users inside the company.

Too many companies focus on trying to build a bullet-proof wall to protect their most critical assets from external attack, but fail to adequately control what’s going on inside the corporate network. Such a one-sided approach is asking for trouble; everyone knows how much damage an insider threat can cause. The Mossack Fonseca breach is perhaps the most notable recent example.

Many insider security incidents go unnoticed due to lack of monitoring and detection tools. According to Verizon’s 2016 Data Breach Investigation Report (DBIR), about 66 per cent of insider misuse cases involve privilege abuse, and most of them can be attributed to the human factor. This indicates that the most vulnerable part of any security strategy is not hardware or software, but people. Intentionally or unintentionally, employees use sensitive data in inappropriate ways.

Too many employees think nothing of sending corporate information to personal email accounts, uploading corporate data to personal devices, sharing passwords and so on. One careless mouse click can derail even the best security efforts. For example, in October, 2015, it was reported that Vacaville Housing Authority admitted one of its employees had accidentally sent an email containing private client data to an unauthorised person. The incident was successfully resolved, but it took the organisation a long time to win back customers’ trust.

The main reason insiders are so dangerous is that they don’t need to hack the system or hijack credentials; they already have access to sensitive data as part of their day-to-day work. Just one user with access rights and malicious intentions can be more harmful for businesses than any attack from the outside. According to the Netwrix 2016 IT Risks Report the human factor is the most common cause of increased security risks, either from accidents (47 per cent) or from deliberate abuse of privileges (13 per cent). This makes the detection of human errors and insider misuse a pressing task for the majority of respondents.

Blind trust, even in employees with a long and loyal service record, can come at a high price for the business. For example, a CVS pharmacy employee who had been employed for seven years recently stole patient data and passed it to a property manager, who then used it to obtain credit and credit cards.

Of course, even the very best security practices cannot guarantee complete protection against insider threats. Nevertheless, there are steps organisations can take to protect sensitive information from insider activities:

  • Use a data-centric approach: When it comes to data protection, there is no such thing as too much security. However, rather than trying to protect absolutely everything, determine which assets are the most important and concentrate your efforts on them.
  • Ensure visibility into user behaviour: Staying aware about what is changing in your IT infrastructure will help you spot suspicious activity in a timely fashion so you can take appropriate counter-measures. Continuous monitoring will also help you prove to compliance auditors that all changes to system configuration and access to sensitive data are easily traceable.
  • Keep your history: Retain your audit trails for a long period of time and make sure they are easily accessible. Being able to review exactly what happened and drill for more details will help you investigate incidents.
  • Limit access: Grant users only the access necessary to perform their daily duties. Regularly review access permissions and remove permissions that are unused or inappropriate.
  • Monitor attempts to access critical data: Track attempts to access critical files and folders, both successful and failed, to spot malicious activity.
  • Promote cyber security by making it everybody’s business: Incorporate security policies into your employee handbook and make sure everybody in your company is aware of them. Conduct regular meetings about cyber security. Warn employees that violating security policies will result in a written warning, bonus loss, or termination of employment.

Insider threat is one of the top five data breach threats in Experian’s 2016 Third Annual Data Breach Industry Forecast, and it almost certainly will stay on that list. As you build your cyber security strategy, make protection against insider attacks one of your top priorities. While there is no way to make your organisation immune to insider threats, implementing the best practices outlined here will minimise the risk of data breaches.

 

About Netwrix

Netwrix Corporation provides IT auditing software that delivers complete visibility into IT infrastructure changes and data access, including who changed what, when and where each change was made and who has access to what. Netwrix is the first company to introduce a visibility and governance platform that supports both on-premises and hybrid cloud IT environments. Over 150,000 IT departments worldwide rely on Netwrix to audit IT infrastructure changes and data access, prepare reports required for passing compliance audits, and increase the efficiency of IT operations.

 

Dr. Alex Vovk has gained an impressive 15-years’ experience in software expertise, leadership and operational management. Prior to Netwrix, he worked at Aelita Software, where he served as the architect for the company’s key technologies. Dr. Vovk holds a master’s degree and a PhD in information security.