[BreachExchange] Ramping up Employee Cyber Security Training in 2016

Tue Mar 22 21:10:05 EDT 2016

http://www.jdsupra.com/legalnews/ramping-up-employee-cyber-security-80473/

In 2015, the hotel industry suffered unprecedented cyber-attacks. In
November alone, Hyatt, Starwood and Hilton all fell prey to savvy
cyber-thievery. Hyatt confirmed that hackers used malware to collect
cardholder names, card numbers, expiration dates and verification codes
from at least 250 hotels globally. Just a few days after the company
announced its acquisition of Marriot International, Starwood Hotels &
Resorts Worldwide also stated that malware had been used to steal credit
and debit card data that was found on point-of-sale cash registers. Hilton
Worldwide also began investigating credit card breaches at several of its
properties, including its Hilton locations in addition to Embassy Suites,
Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts.
Hilton confirmed the breach and, in a similar fashion to Hyatt and
Starwood, cited unauthorized malware that targeted payment card information
in point-of-sale systems as the cause of the breach.  Additional hotels
targeted by hackers in 2015 included The Trump Hotel Collection, Mandarin
Oriental, and White Lodging Services Corporation.

As these hotels deal with the fallout from the breaches, management should
be taking steps in 2016 to clearly define employee policies and procedures
including:

- Creating protocols for access and transfer of sensitive information.
Once a hotel has its IT network secure, only certain individuals should
have access to the data. Further, user activity should be monitored using
insider threat detection solutions that notify management of suspicious
activities, both externally and internally.  This includes monitoring
applications for phones or computers that have access to sensitive data.
Hotels should be tightening all network security.  Some relatively easy,
yet very important, steps that can be taken include: ensuring logins expire
after short periods of inactivity; requiring strong passwords (never
written down in public or unsecured locations) that must be changed every
30 days; and scanning devices for malware every time they are plugged in.
- Confirming off-site technology is secure. Data housed off-site should be
routinely backed up and a hotel should ensure that whatever web application
firewalls it installs are cloud-based solutions that are secure and
encrypted. Additionally, hotels should be using top-notch anti-malware
software and update it routinely.
- Securing paper files that may include personal information.  Employee
files are a major target area for data breaches by way of paper files.
They are typically easy to access (particularly in smaller hotels), and
provide a significant source of data for a low-tech inside job.  Employee
files may also include medical information protected by HIPAA. According to
the Department of Health and Human Services, hacking has been involved in
the HIPAA breaches of nearly three million patient records since 2009.
Employees across all industries, including hospitality, should be made
aware that this highly sensitive information needs to be protected.
- Warding off “Spear-Phishing” tactics. Cyber-criminals frequently send
phony “spear phishing” emails to companies, as well as individuals. Spear
phishing is different from what was historically called spam phishing,
because the email may even seem to be from someone the recipient knows.
However, they often contain malware attachments. These emails look
legitimate, but if the receiver responds or even opens an attachment, havoc
may ensue. Employers should create policies and procedures to inform and
educate employees about such scams, and develop a methodology for handling
suspect emails and other forms of correspondence.
- Creating a workplace culture with a strong emphasis on privacy and data
security. Companies should be working to should instill in every employee a
sense of responsibility when it comes to cyber security. Properly trained
employees will be conscious of the potential areas of susceptibility.
Companies will continue investing in IT software, but if they fail to
engage their workforce, more attacks like these are likely to happen.  If
nothing else, breaches from the inside become far less likely in a hotel
with a strong culture of privacy and data security.  Areas completely
within the employer hotel’s control include implementing written policies
and procedural safeguards.

While these practical tips cannot guarantee that your property will be
immune from a data breach, they certainly offer guidance in how to make
your property less attractive to hackers whether from an outside offender
or your own employees.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160322/87cdd8a6/attachment.html>