Employees in the hospitality industry are trained to meet needs, so it doesn’t take much effort for hackers to take advantage of their willingness to help. Employees are so valuable, but they can also be your weakest link. How much customer service is too much? When should an employee become suspicious of a guest or visitor’s behavior? Unfortunately, not often enough.

What is Social Engineering?

How sure are you that your employees can withstand a social engineering attempt? Social engineering is creative and engineered to trick your employees. Social engineering leverages and manipulates human interactions to compromise your organization. This could be something like bypassing a procedure and letting a guest into an employee-only area or believing someone’s unusual circumstances that lead to breaking policy. Eventually, these breaks in policy or procedure lead to malware or unauthorized access to your system. The stories that come out of social engineering engagements can be shocking to security officers and executives who believe that their employees would never fall for it – especially in the hospitality industry. Social engineering doesn’t require a lot of technology or complicated processes; all it needs is a distracted, careless, or maybe a too-accommodating employee.

Social Engineering in Hospitality

In the 2016 Erin Andrews-Marriott case, Andrews’ stalker was able to use the hotel restaurant’s house phone and asked to be connected to Andrews’ room. When the hotel complied with this request, he was able to see Andrews’ room number and discovered there was a room available next to hers. From there, he went to the front desk, requested that room, and was able to book it. Although the room was available, should the employee have let him book it, knowing a high-profile guest was in the room next door? Andrew’s stalker was then able to set up a camera through a peephole and record Andrews undressing, which he later released on the Internet.

Andrews asked in court, “Why didn’t they even call me to tell me? Why didn’t they ask? I was so angry. This could’ve been stopped. The Nashville Marriott could’ve just called me.” Why didn’t the Marriott employee recognize suspicious behavior? Why didn’t they tell her someone had requested a room that was, coincidentally, next to hers? This social engineering tactic worked on the front desk employee, eventually costing the hotel chain $26 million after Andrews sought justice for her privacy being violated. How many other times has a method like this one worked? The hospitality industry depends on guests and visitors feeling safe. When that trust is lost, how will your brand survive?

Social engineering with the intent of phishing is also a low-effort tactic for hackers. A simple attempt may look something like this: a hacker calls customer service to get help “confirming a reservation.” When the hacker offers to send the reservation information via email, the customer service representative doesn’t think twice about opening it. They’re just helping a customer, right? This is how quickly malware can enter into your organization when employees fall for phishing.

Not enough organizations test their employees with social engineering. It’s hard to convince organizations that our team of penetration testers will be able to manipulate their employees or environment, until they see the results. Even if employees mean well or cause unintentional harm, your employees are probably your weakest link and are highly targeted. Let us help educate your employees on ways they could be compromised during their day-to-day interactions.

More Social Engineering Resources

Not All Penetration Tests Are Created Equal

How Can Penetration Testing Protect Your Assets?

Why is Ransomware Successful?

What do cities like Las Vegas, Atlantic City, Monte Carlo, and Macau all have in common? They’re some of the most lucrative cities in the world for gambling, which means that they all are at risk for data breaches. Whether it’s the casinos themselves or the hotels connected to the casinos, there are sensitive assets to be stolen. Let’s take a look at why the gaming industry is at such a high-risk for data breaches and how your business can prepare.

Cybersecurity Threats to the Gaming Industry

The gaming industry has earned a reputation for strict, effective physical security, but what about cybersecurity? What data is being collected about players? How is it being stored? Who is protecting that data? Many people visit casinos because there’s a certain level of privacy that’s widely expected and provided; players feel that they can gamble and enjoy the allure of casinos without their identity being compromised. However, malicious hackers have no regard for privacy and will do everything they can to compromise sensitive data.

Consider the following regarding casino data security, for example. If a casino is connected to a hotel, what would happen if the networks weren’t segmented properly? A hacker may have found a way into the casino’s gaming network. From there, they could have access to the security cameras, the ability to manipulate odds, see payout information for each machine, alter rewards information, or worse. Not to mention, because casinos are often connected to hotels, restaurants, bars, and retail stores, they’re introduced to even more cyber threats. Point-of-sale systems, ATM machines, employees – they’re all vulnerable.

Staying Protected in the Gaming Industry

We know that the large amounts of sensitive data, especially financial information, available at casinos makes them that much more susceptible to cyber-attacks. That’s why securing the sensitive data of players is critical to ensuring the longevity of the casino industry. If players can’t expect their data to be protected or they feel that they’re at risk to be exposed, why would they continue gambling at your location? In order to secure the data that fuels the casino industry, there are a few proactive steps that casinos can implement.

  1. Penetration Testing: Penetration testing, or ethical hacking, gives organizations insights into their security posture by showing them their security strengths and weaknesses through simulated yet real-world exercises. This means that organizations are then able to risk-rank security vulnerabilities and remediate accordingly, potentially preventing cyber-attacks before they happen.
  2. Security Awareness Training: Like with all industries, employees pose one of the biggest threats to security at casinos. Whether it’s a blackjack dealer, bartender, or front desk receptionist, all employees are at risk for falling for cyber attacks. Implementing security awareness training for casino personnel will help employees identify, report, and prevent attacks from occurring.
  3. Incident Response Plan Training: It’s only a matter of when not if, cyber-attacks will occur and casinos must be prepared. Having an effective incident response plan in place is critical but practicing that incident response plan is equally as important. When an attack occurs, the incident response plan must be executed flawlessly, because if not, there could be cost implications. Conducting regular incident response plan training should be a top priority among casinos.
  4. Cyber Insurance: Because the average cost of a data breach is upwards of $4 million, in the event that a data breach or security incident does occur, casinos and other gaming institutions would be wise to have a cyber insurance policy that covers first-party coverages, such as coverages directly impacting the casino as a result of a data breach like loss of sensitive data, and third-party coverages, such as claims of other parties impacted by a data breach.

Case Study: Hard Rock Hotel & Casino Las Vegas

Over the last few years, the Hard Rock Hotel & Casino Las Vegas experienced a series of data breaches caused by hackers gaining unauthorized POS network access and installing POS scraping malware. Payment card information, including cardholder names, credit card numbers, and CVV codes were stolen. Though each data breach in the series of security incidents was slightly different, they each underscore the necessity for casinos, and especially resorts with numerous amenities, to implement a robust cybersecurity program that segments each part of the resort from each other. In Hard Rock’s case, only the hotel portion of the resort was impacted during the first breach in 2015. In 2016, however, the entire resort was impacted by malware.

While casino heists and hacks are often portrayed in Hollywood films, there’s nothing fictional about the threat of cyber attacks to casinos. Malicious hackers are creative and cunning, and their attacks are only getting more sophisticated. If your organization is committed to remaining secure in the gaming industry, don’t gamble on cybersecurity. Contact us today to learn how our audit, penetration testing, and consulting services can help keep you and your players secure.

More Cybersecurity Resources

What is Cybersecurity?

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

7 Reasons Why You Need a Manual Penetration Test

Components of a Quality Penetration Test

The threat of a cyberattack is something all businesses must be cognizant of, but unfortunately, many are not. As it has become increasingly challenging to understand and implement cybersecurity best practices, states across the US are beginning to roll out cybersecurity initiatives aimed at helping businesses combat advancing cyber threats. While we’ve touched on the innovative cybersecurity initiatives like the ones that New York has implemented, Ohio is paving the way for state-sponsored cybersecurity initiatives with the CyberOhio initiative.

What is CyberOhio?

CyberOhio is a cybersecurity initiative spearheaded by Ohio’s Attorney General, Mike DeWine, implemented in August of last year. Similar to other cybersecurity initiatives of its kind, CyberOhio aims to help businesses defend themselves against the ever-changing threat landscape through three key areas: education, new data privacy legislation, and information sharing.

Education is Key

When it comes to implementing cybersecurity best practices, education is key. If businesses aren’t aware of the threats they’re faced with, how can they prepare for an attack? How will they ensure that the data they hold remains secure? Ohio’s Attorney General recognizes this and, as part of CyberOhio, put an emphasis on educating businesses on cybersecurity threats and ways to mitigate them so that consumer information can remain protected. How do they do it? The Ohio Attorney General’s Office has partnered with local and small business chambers to host a cybersecurity basics course, where business owners and their employees can learn about common types of data breaches and how to prevent them.

New Data Privacy Legislation

Lawmakers and business owners are continuously recognizing the new, complex risks that come from doing business in cyberspace. That’s why so many states are moving towards creating their own data privacy laws, such as California’s Consumer Privacy Act (CCPA), and Ohio is no exception. As part of the CyberOhio initiative, Ohio Governor John Kasich signed Senate Bill No. 220, the Ohio Data Protection Act. This legislation makes Ohio the first state to enact a law that incentivizes businesses to implement a cybersecurity program by providing a safe harbor to businesses that do so.

The law clearly states that the Ohio Data Protection Act is not meant to be a minimum cybersecurity standard that must be achieved by businesses in Ohio. Unlike other states’ cybersecurity laws (like New York’s regulation for financial services companies), the Ohio State Data Protection Act is voluntary. It gives businesses a reason to be proactive with their cybersecurity program instead of introducing additional regulations required of them to follow.

Focusing on Information Sharing

Staying ahead of cybersecurity threats requires a joint effort from government officials, businesses, and community members. As part of CyberOhio, a focus was placed on information sharing because it will help all businesses in Ohio stay abreast of the threats they’re facing. In fact, many smaller organizations have formed throughout the state of Ohio to band together to combat cybersecurity risks. The Northeast CyberConsortium (NEOCC), Columbus Collaboratory, and the Ohio Cyber Collaboration Committee (OC3) all seek to find ways to research and find solutions to the growing cyber threats, develop a stronger cybersecurity infrastructure, and educate individuals so that they’re prepared to enter the cybersecurity workforce and implement cybersecurity best practices.

By creating and implementing cybersecurity initiatives like CyberOhio, businesses are empowered to work together to decrease the likelihood of a cyberattack, making the community a safer place for business owners, their customers, and the data shared between them. If you’re looking to learn more about cybersecurity initiatives in your state or would like more information about how you can implement cybersecurity best practices at your organization, contact us today.

More Cybersecurity Resources

What is Cybersecurity?

How to Lead a Cybersecurity Initiative

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

From Silicon Valley to Times Square, startups of all kinds are popping up all over the United States and beyond. It’s easy for the founders to put all of their resources into starting the business and taking it to market, but what happens when the data that fuels that startup is breached? What happens when an immature information security program causes that startup to fail?

What Makes a Startup Successful?

There’s a lot that goes into making a startup successful – a great idea, strong leaders, a solid business model, investors, and grit – but there’s even more that factors into scaling a startup. In fact, there’s one key component to making a startup successful that’s often neglected: a robust information security program. In today’s age, information security is one of the top concerns of organizations because they know that it’s only a matter of when, not if, a cybersecurity attack will affect their business. Unfortunately, not all startups recognize how pervasive the current threat landscape is, or they don’t even know where to begin with implementing an information security program. In order for a startup to be truly successful, there needs to be a robust information security program created from the start. What should it include? We believe that there’s five key considerations that organizations must keep in mind when creating their information security program.

1. Get Executives on Board with Information Security from the Start

We often discuss the importance of implementing a culture of compliance from the start of your business, and this is especially true for startups. Why? Because a startup is usually made up of very few members and often does not include IT personnel. This means that for startups, it’s even more important that executives understand and acknowledge the importance of implementing a robust information security program; they need to make it a shared responsibility to design business processes and systems with security controls in mind from the start.

2. Know Your Assets

The value of having a robust information security program comes down to protecting your organization’s valuable assets. For startups, this should really hit home. It’s hard enough getting a company off of the ground, so what would happen if six months into launching, a breach occurred or a physical device containing your company’s data was stolen? It’s happened before and it will happen again. Knowing what assets you have and how much they’re worth to you will help you risk-rank which assets need to protected first.

3. Implement Information Security Basics

Almost all organizations use some form of technology to carry out their business processes, and startups are no different. In fact, most startups have mobile or web applications that are just as likely to be hacked or targeted as Fortune 500 companies. That’s why startups need to implement information security basics, such as firewall configurations, network access controls, antivirus software, password policies, and MFA, to mitigate the risk of malware attacks, DDoS attacks, API disruption, and the plethora of other cybersecurity threats startups are faced with.

4. Educate Your Employees

Employees are often thought of as the weakest link at any organization. Because of the limited number of personnel at a startup, focusing on security awareness training might not seem necessary, but that couldn’t be further from the truth. Every single person working at your startup needs to know how they could unintentionally compromise your organization by falling for phishing attempts, using bad passwords, or just not following policies. Whether your startup has a team of two or thirty, investing in security awareness training from the beginning reinforces a culture of compliance and helps mitigate the risk of human error causing a security incident.

5. Establish Physical Security Controls

Another focal point startups must keep in mind is establishing physical security controls. Many times, startups work out of incubators or coworking spaces, but these environments might not always have the most secure physical security controls in place to keep their assets protected. Let’s say that a startup is based out of a coworking space – what physical controls are in place to protect your assets? Does the coworking space have security cameras? Do they have badges, key fobs/cards, biometric access controls, security guards, and/or receptionists? There’s no telling who could enter a coworking space and gain unauthorized access to your sensitive assets, so establishing physical security controls needs to be a top priority.

Malicious hackers don’t discriminate against startups. If there’s sensitive data to access, they’re going to find a way to get their hands on it. That’s why investing in a robust information security program from the start is so worthwhile: security incidents can cause outages in critical services and operations, ruin your reputation, and cause your business to fail before it even takes off. It’s every entrepreneur’s dream to see their business succeed – don’t let an immature information security program keep you from achieving that. As a firm that started out small, we know what it takes to grow a business and we’re dedicated to helping you do just that. Contact us today to learn more about how KirkpatrickPrice can help you implement a robust information security program for your startup.

More Resources

6 Information Security Basics Your Organization Needs to Implement

Getting Executives On Board with Information Security Needs

Getting the Most Out of Your Information Security and Cybersecurity Programs in 2019

Georgia Tech Data Breach

Last week, Georgia Tech announced a vulnerability in a web application that compromised 1.3 million individuals’ information, spanning from current students to alumni to employees. The vulnerability allowed unauthorized, third party access to a central Georgia Tech database. The university hasn’t released many details yet, but we do know the basics of the incident.

The Georgia Tech data breach was found in late March but the impact has been traced back to December. The vulnerability in the web application has been patched, and they are looking for any additional, unknown vulnerabilities. The university’s cybersecurity team is now conducting a forensic investigation to find out how this breach happened, especially since it’s the second breach within a year. In 2018, 8,000 Georgia Tech College of Computing students’ information was emailed to the wrong recipients because of human error.

Cybersecurity Risks in Higher Education

The Georgia Tech data breach proves, once again, that any organization can be compromised. Even a university with a leading computing program and the top cybersecurity talent can be impacted by a data breach. Georgia Tech’s relationship with technology companies and the government probably made the university an even more attractive to a target.

A data breach in the education industry costs $166 per capita, according to the Ponemon Institute. Institutions of higher education can be targeted for personally identifiable information, research, payroll information, Social Security Numbers, or for other critical assets. Most cybersecurity attacks are a matter of when it will happen to you, not if it will happen to you. The Georgia Tech data breach isn’t the first time a university has been targeted, and it won’t be the last. Is your institution doing everything it can to protect itself from attacks?

Security of Web Applications

Web applications are unique constructs, mixing various forms of technology and providing an interactive front for others to use. Some web applications are made public, while others might be internal applications existing on an intranet. No matter the location, web applications play critical functions and are susceptible to many cyber threats, as we see with the Georgia Tech data breach. To mitigate risk, web applications need to be thoroughly tested for application logic flaws, forced browsing, access controls, cookie manipulation, horizontal escalation and vertical escalation, insecure server configuration, source code disclosure, and URL manipulation, among other tests.

At KirkpatrickPrice, we want to find the gaps in your web applications’ security before an attacker does. For this reason, we offer advanced, web application penetration testing. Contact us today to learn more about how our services can help secure your web applications.

More Assurance Resources

How Can Penetration Testing Protect Your Assets?

Ransomware Alert: Lessons Learned from the City of Atlanta

Why is Ransomware Successful?