Cybercrime and breaches are constantly evolving and are steadily on the rise. Recently, Eva Novick from Foster Garvey and Lynsee Wiegand from Parker, Smith & Feek discussed tools to protect and prepare your hospitality business from cyber incidents. The two covered the most common cyberattacks the hospitality industry faces and how to respond to an incident.
You can find this recording on our YouTube channel and wherever you get your podcasts. The slideshow is included. You can also find on our members-only site our Cybersecurity Toolkit, coming soon.
Wiegand is an insurance broker who partners with the hospitality association and Novick is a cybersecurity specialist and attorney at Foster Garvey.
If you had asked Wiegand a few years ago how many cyber liability claims her firm had a few years ago, she probably would have said anywhere from nine to 15. Since then, that number has grown drastically.
In fact, a CFO that she works with received a text message that looked like it had come from his bank. He clicked on the link and answered a few personal questions and within 24 hours about $1.4 million from his company was stolen.
“This, I think, is a great example of how cyber claims and incidents are evolving,” Wiegand said. “They are really agnostic to any industry and why we really need to focus on the hospitality industry because they are becoming a larger target.”
Security incidents vs. data breaches
“A security incident is any compromise to the confidentiality, integrity or availability of information technology asset systems or data,” Novick said. “A data breach is subset of security incidents. A breach is a security incident that involves unauthorized access to personally identifiable information.”
An example of a security incident would be an employee receiving a phishing email and opening a file that contains malware. Other examples could be if a laptop is stolen from an employee’s car or a ransomware attack.
A business’s incident response plan should determine if an incident is a breach. All 50 states have data breach notification laws that define what is a breach. They also define when and how consumers need to receive notice of a breach.
In Washington state, personal information includes:
- social security numbers
- driver’s license and passport numbers
- financial account numbers
- debit and credit card numbers
- date of birth
- health insurance information
- medical information
- biometric data
- username and passwords for online accounts
Businesses that have experienced a breach must notify consumers no later than 30 days after the discovery of the breach under Washington state law. Consumers can receive notice by mail, email or substitute notice such as an announcement on a company website or a story in the media.
Wiegand said the question she receives most frequently is “Who is at fault?” Is it the business or is it the point-of-sale vendor?
“Some recent data shows that the average cost for a hospitality point-of-sale breach is $1.7 million.” Wiegand said. “This is the second most common type of breach after ransomware.”
Novick said there are really two ways that a point-of-sale breach can happen. The first is a physical breach of a payment card reader like with a card skimmer. But this isn’t as common now that chip-card readers are required.
“The other way is that a lot of times smaller businesses will use their point-of-sales system for more than just the collection of payment card information,” Novick said. If the business is using sales, accounting and customer service functions all through the POS and they are not technologically separated from the payment card reader, a phishing scam or another intrusion can infect the payment card readers.
MasterCard, Visa and other payment card brands now require the Payment Card Industry Data Security Standards, or PCI DSS. This sets out standards that businesses must adopt to process debit or credit cards. Examples of this include using a firewall or encryption.
If the card brands detect a breach or fraudulent charges, they can issue fines, require reimbursement for issuing new cards and pay for forensic investigation to see what upgrades are needed to get into PCI DSS compliance.
In Washington state, there is a safe harbor law that says a company is not liable for data breaches if it is compliant with PCI DSS.
So, to answer Wiegand’s question from earlier, Novick said that the business is going to be the primary entity that is responsible. There are ways to possibly shift liability based on contracts, but it is going to be the business that is liable.
In 2022, social engineering accounted for 24% of data breaches.
Novick said that social engineering can be through phishing, smishing, vishing or spear phishing/whaling, and she explained what each of these terms means.
Phishing: This often happens through email. The phisher tries to trick the email recipient into giving away information like an account password. The email will look legitimate, like it is from Amazon or Microsoft. Some contain attachments that contain malware that can infect your computer and any devices connected to it.
Smishing: Phishing via text message or SMS.
Vishing: Phishing via phone call or voicemail.
Spear phishing: The next level of phishing. It’s not sending a lot of email and hoping someone will click a link, it’s much more organized and will look like it’s coming from a colleague or your HR or IT department.
The scammer has done their research and has likely already phished your colleagues.
Whaling: This is like spear phishing but targets the C-Team of a company.
“A successful whaling provides a scammer the keys to the castle,” Novick said.
Human error is the way these scams work.
“Being able to spot these types of scams is crucial to being able to protect your business,” Novick said.
She said you should always check the domain name of the sender, or the part that comes after the @ symbol. You should also hover over any URL to see where it is really going to take you.
Ransomware – Trends
Wiegand said she recently read about a quick-service franchise that had to shut down 300 locations for a few days because of a ransomware attack. The total loss of this attack has yet to be reported, but estimates put it at millions of dollars in loss of revenue.
Novick explained what ransomware is and what you can do to protect your business.
“Ransomware is malicious software that locks down your system until you pay a ransom,” she said.
The best practice is to always have an offline backup of your data.
Scammers also steal targeted information and demand payment not to disclose that information. Verizon recently reported that 10% of breaches now involve ransomware. They are not just encrypting this data, but they are publishing it.
Novick said there is some good news surrounding ransomware: the FBI has been asking victims of this crime not to pay the scammers.
“In reviewing ransomware incidents reported to the FBI Internet Criminal Complaint Center (IC3), Verizon found that 90% of reported ransomware incidents did not result in a financial loss,” she said.
Novick provided these resources in case you experience a ransomware attack:
NISTIR 8374: Ransomware Risk Management: A Cybersecurity Framework Profile
Business email compromise
“This is a cybercrime in which an attacker targets a business to defraud the company or one of its customers,” Novick said.
The attacker poses as someone the recipient of an email should trust. It may start as a successful phishing attempt. Once the criminal is in your system, they can send emails undetected from your email account.
It relies on social engineering and intrusion and usually can’t be detected by the same techniques you use to detect a phishing attempt.
For example, let’s say a restaurant would like to purchase vehicles to make deliveries. When the dealer sends the restaurant instructions for a wire transfer: but it really wasn’t the car dealer who sent the instructions. It was a scammer who had phished the car dealer who sent the instructions from the dealer’s actual email address. The dealer doesn’t receive the payment, the scammer does.
“Liability will depend on who is in best position to avoid the loss,” Novick said. That can depend on the prior relationship between the parties and what kind of care the hacked party put into its information security procedures.
The FBI in 2019 received about 24,000 complaints about these kinds of attacks which resulted in about $1.7 billion in losses.
How you can prepare
“Security incidents and data breaches will happen, it’s a matter of when not if,” Novick said. You can minimize your risk before an attack, during an attack and make it easier to recover after an attack.
Data mapping: You need to know what you have before you can decide what to do next. Ask yourself how much information you really need to collect. If you don’t collect this information, no one can take it.
If you do need this information, make sure you have reasonable security. “Reasonable” depends on the current technology available and how sensitive this information is. Remember, what was reasonable five years ago may not be reasonable today.
IT departments and vendors can help you with your data mapping and security. The information you collect, and your security needs to be reviewed often based on changing technology.
Washington state law requires that you take all reasonable steps to destroy any personal, financial and health information, personal identification numbers issued by government entities.
There are a lot of vendors that can help with privacy compliance, but you must ensure that you choose good ones because you can be held liable for the actions or inactions of your vendors.
Minimizing your risk
Novick suggested a couple of basic recommendations that IT departments can help to minimize your risk of exposure.
- Multi-factor authentication
- Patch management, the process to fix vulnerabilities and bug in software and apps
You should have an incident response plan and a business continuity plan in place. If you suspect or know that you’ve had a security incident or a data breach, the first thing you need to do is follow those plans. You must regularly review, update and test these plans with employees before any incidents happen.
Incident response plan: This is a plan to prepare, detect, contain, eradicate, recover and analyze a security incident. It should include contact information for anyone who needs to help deal with the incident, both internally and externally. Include phone numbers as well as email addresses, because you may not want to alert an intruder that you know there is an incident.
Business continuity plan: This plan helps maintain critical business functions so you can continue with operations while dealing with the disruption, whether that is a cybersecurity incident, a global pandemic or natural disaster.
“There are different types of coverage and also underwriters can limit some of the coverage provided for different incidents,” Wiegand said.
You can get cyber coverage in two different forms on your insurance. Some is built into your property or general liability package for smaller limits and more incidental exposure, versus a full cyber liability policy that will cover the majority types of incidents and exposures.
You should follow best practices when it comes to cybersecurity and your insurance company will want to know you are doing this. You will need multi-factor authentication, the 3-2-1 method where you have information saved in multiple locations such as a computer, the cloud and even a paper record. Ongoing employee training is critical to avoid phishing and other social engineering as well as patch management to make sure your systems are updated with the proper security software. And lastly, you will need end-point detection and response.