The hospitality industry needs personal data to be successful – but that comes with a price. If you’re collecting or processing personal data, you’re responsible for securing it. The hospitality industry relies on the feeling of being secure, in every aspect of guests’ visits. Organizations within the hospitality must consider why they’re a target for cybersecurity attacks, which data privacy and security frameworks and regulations apply to them, and what challenges they will face.

Data Collection

The more details that a hotel or a travel agency knows about guests, the better – right? It can provide a more personalized experience, hopefully making a loyal client. Plus, some data is needed for booking or payment purposes, like cardholder data, passport numbers, driver’s license information, or rewards numbers. Every business has an asset that they can’t bear to lose, and for the hospitality industry, that asset is personal data. Every day, the hospitality industry is expanding the ways they collect personal data.

Data collection inherently makes the hospitality industry a target for hackers and cyber attacks. For local hotel chains or bed and breakfasts, it may not seem like the amount of personal data collected would be significant. For worldwide chains, though, like Wyndham, Marriott, or Hilton, their data is their biggest asset. When Marriott’s guest reservation database was breached, the names, mailing addresses, phone numbers, email addresses, passport numbers, rewards account information, dates of birth, gender, arrival and departure information, reservation dates, communication preferences, and encrypted payment card numbers of up to 383 million guests were compromised – making it one of the largest known thefts of personal records in history.

Interconnected Technology

Because hotel and resort chains span countries and continents and hold things like gift shops, restaurants, and bars, it makes them an ever more lucrative target for hackers. If a hacker can get into just one location’s gift shop or front-desk system, they can access a whole lot more. We rarely see a cyber attack sticking to one location. If a hotel is connected to casino, both could be compromised. If a restaurant is connected to a resort, both could be compromised. The list goes on and one. In 2016, malware was installed on the payment card processers of restaurants at hotels managed by InterContinental Hotels Group (IHG), impacting 1,000 hotels. Where are the places in your organization that are connected to something bigger, something that would attract a hacker?

Vendor Risk

Every vendor relationship poses some level of risk, but especially in the hospitality industry. Instead of directly hacking a resort, casino, or travel agency, a hacker can attack one of their vendors as a route to get to them.

Sabre Hospitality Solutions provides a third-party reservation system to hotel companies like Hard Rock Hotels & Casinos, Four Seasons Hotels and Resorts, Trump Hotels, and Loews Hotels. In 2017, when Sabre’s SynXis Central Reservations system was breached, so were these companies. Hard Rock reported 11 properties worldwide were impacted by the breach, Trump Hotels reported 14, and Loews Hotels reported 21. When you enter into a relationship with a vendor, you accept the risks that they bring you. The amount of vendors that the hospitality industry interacts with – from security cameras to point-of-sale systems – poses a real cybersecurity challenge for protecting personal data. What do you do to ensure you partner with secure vendors?

Customer Service

There’s always a human element to hospitality – and cybersecurity is no different. When a breach involves insiders, one in five times it’s due to human error. With the rise of BYOD policies, phishing attempts, and the inherent need to accommodate guests, your employees must be aware that cybersecurity is everyone’s job.

There are so many elements that go into securing personal data – information security frameworks, security and privacy regulations, information security programs. Even when you are breached, you must respond in the appropriate way; Hilton was fined $700,000 for mishandling 2014 and 2015 data breaches. If you need help deciding whether or not the personal data you collect is secure, contact us today.

More Assurance Resources

How Can Penetration Testing Protect Your Assets?

Auditor Insights: Where to Start with GDPR Compliance

HITRUST® Across Industries: Where the HITRUST CSF® v9.2 is Headed

New York City is known for its state-of-the-art architecture, fast-paced lifestyle, variety of cultures, and endless supply of street food, but it’s about to be known for an initiative that some might believe to be long overdue: Cyber NYC.

As cybersecurity threats continue to impact businesses and cities of all sizes, local governments, like that of New York City’s, have taken it upon themselves to ensure the security of their city and the longevity of their economy by creating cybersecurity initiatives.

Let’s take a look at what Cyber NYC is, what influenced it, and other similar initiatives.

What is Cyber NYC?

In October 2018, the New York City Economic Development Corporation (NYCEDC) launched its $100 million initiative, Cyber NYC, with the intention of growing New York City’s cybersecurity workforce, helping companies drive innovation and business development, and building networks and community spaces.

Cyber NYC is made up of six unique but connected efforts that will allow the initiative to position NYC as the next cybersecurity hub. These efforts include:

  • Global Cyber Center: Operated by SOSA, the Global Cyber Center is slated to become a co-working space for startups, a place to foster collaboration, and a space to train the next cybersecurity workforce.
  • Hub.NYC by JVP: Operated by Jerusalem Venture Partners, Hub.NYC will be a place where enterprise-ready cyber companies can develop and connect with investors.
  • Inventors to Founders: Operated by Columbia University, the Investors to Founders effort will serve as a space where new cybersecurity startups that are sourced from university campuses that commercialize IP research can launch.
  • Cybersecurity Moonshot Challenge: Hosted by NYCx in the Mayor’s Office of the Chief Technology Officer, NYC Cyber Command, and NYCEDC, this effort is a unique, global competition that challenges competitors to create and deploy technologies that are specifically designed to protect small businesses from cyber attacks.
  • Applied Learning Initiative: Operated by CUNY, NYU, Columbia University, Cornell Tech, and iQ4, this effort seeks to address the workforce shortage in cybersecurity by offering four different educational programs across NYC.
  • Cyber Boot Camp: Hosted by Fullstack Academy and LaGuardia Community College, this effort also seeks to address the shortage of cybersecurity professionals by providing an accelerated training program that will help prepare individuals, including those from many of NYC’s underserved communities, for jobs in cybersecurity.

What does all of this mean for New York City and its businesses? Endless opportunities for growth, a community that fosters cybersecurity best practices, and a growing cybersecurity environment for new businesses to thrive in.

What Influenced Cyber NYC?

According to NYCEDC, Cyber NYC grew out of the rapid increase in cybersecurity attacks around the globe.

As New York City is already a hub for startups and is home to 45 Fortune 500 headquarters, establishing an initiative that combines the efforts of both public and private sectors will help position NYC as an epicenter for cybersecurity wherein businesses can feel secure and empowered to focus on mitigating advancing cyber threats.

Additionally, the extreme shortage in cybersecurity professionals has created a need for initiatives like Cyber NYC to be established. In fact, Cyber NYC is projected to create 10,000 new middle-class cybersecurity jobs in New York City.

What Cities Have Similar Cybersecurity Initiatives to Cyber NYC?

While Cyber NYC has gained a lot of attention, it’s not the only cybersecurity initiative of its kind.

For example, Ohio’s Attorney General, Mike DeWine, led the CyberOhio initiative into fruition in August 2018. Similar to Cyber NYC, CyberOhio aims to help businesses defend themselves against the ever-changing threat landscape via educational programs, new data privacy legislation, and information sharing. Beyond the state-level initiative in Ohio, smaller, local groups have jumped into action to form cybersecurity initiatives in Columbus, Ohio. The Columbus Collaboratory and the Ohio Cyber Collaboration Committee (OC3) both seek to find ways to research and find solution to the growing cyber threats, develop a stronger cybersecurity infrastructure, and educate individuals so that they’re prepared to enter the cybersecurity workforce.

Cities and states around the globe are faced with increasing cybersecurity threats, so it’s critical that businesses everywhere show a heightened awareness for cybersecurity. Establishing cybersecurity initiatives like Cyber NYC to combat the threat of cyberattacks is a much needed and proactive step in the right direction. If you’re interested in learning more about these initiatives or how your organization can strengthen your cybersecurity efforts, contact us today.

More Cybersecurity Resources

What is Cybersecurity?

How to Lead a Cybersecurity Initiative

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

Independent Audit Verifies Conga’s Internal Controls and Processes

Broomfield, CO – Conga, the leader in end-to-end Digital Document Transformation, today announced it completed its annual SOC 2 Type II audit report covering security, availability, and confidentiality for its platform. The certification highlights Conga’s continued commitment to delivering trusted and secured services to its nearly 850,000 users.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of Conga’s controls to meet the standards for these criteria.

“Through the achievement of these reports, Conga’s current and prospective customers can be assured our security, availability and confidentiality controls are tested and operate in accordance to the highest possible standards,” said Mary Sparks, Vice President of Privacy and Compliance. “We believe in transparency and provide these reports because we understand the mission-critical nature of the data we’ve been entrusted with. We put customer trust first.”

“Securing this attestation reinforces Conga’s mission as a trusted, customer-focused organization, especially as we continue to expand our investment in innovation, customer experience and customer success,” said Matt Schitlz, Chief Executive Officer at Conga. “Showing our customers that we are serious about compliance and security is not only critical to the customer experience but the key to building trusting relationships.”

“Conga is a mature organization that has integrated compliance into their culture,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Their desire to effectively communicate audit results is at the heart of the SOC 2 report. Security, availability, and confidentiality controls have been thoroughly tested to provide a greater level of assurance to the users of Conga’s services.”

For more information on Conga’s security practices, visit getconga.com/why-conga/security.

About Conga

Conga is the leader in end-to-end Digital Document Transformation. From collaboration and creation, through contract management and negotiation, to agreement and e-signature, the Conga Suite has set the standard for automating business productivity and CRM investment through end-to-end Digital Document Transformation. The Conga Suite, which includes Conga Composer, Conga Collaborate, Conga Contracts, Conga Grid, Conga Sign and Conga Orchestrate, drives segment-leading ROI by simplifying and automating intelligent data, documents, contracts, signing, and reporting outcomes.

As a top global Salesforce Platinum ISV Partner, Conga produces the highest volume downloaded paid app on the entire AppExchange. In fact, nearly 850,000 users in 85 countries across virtually all industries rely on Conga applications to drive digital document transformation, including Hilton Worldwide, Schumacher Group, and CBRE.

The company is privately-held and based in Colorado with global operations in the UK and Australia. Learn more at getconga.com or follow Conga on Twitter: @getconga.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

What Should be Included in an Information Security Program?

Ensuring that sensitive information remains secure, available, and confidential is the most important goal when setting up an information security program, but knowing what you need to include to make that happen can be challenging. In today’s threat landscape, organizations must make it a priority to identify and mitigate any potential vulnerability in their information security system and that process begins when organizations first set up their information security program. In this guide, you’ll learn about six information security basics that your organization should implement to keep your organization’s sensitive assets secure.

The Basic Components of an Information Security Program

  1. Firewalls: Any device connected to the Internet is susceptible to falling victim to a cyberattack, which is why firewalls are deployed to filter out unwanted network traffic.
  2. Network Access Controls: Network access controls are used by organizations to mitigate the risks of unauthorized users gaining access to their information systems.
  3. Acceptable Uses for Technology: While the advancement of technology has allowed for the growth of many industries, maintaining old technology and introducing new technology into an organization’s environment can create new security vulnerabilities. This is why organizations must establish acceptable uses for technology.
  4. Password Best Practices: Although all passwords are capable of being compromised, there are a few tried and true password best practices that organizations should follow to ensure that their personnel and networks remain secure against the advancing threat landscape.
  5. Multi-Factor Authentication: Enabling two-factor authentication (2FA) and multi-factor authentication (MFA) are proactive ways that organizations can add an additional layer of security to their systems.
  6. Antivirus Software: Antivirus software is a program that is designed to prevent, detect, and remove software viruses.

Ensuring that your organization is up-to-date on compliance requirements can be an overwhelming task, and many organizations don’t know where to begin. While many resources are about becoming compliant, they don’t explain why internal accountability is important or give you actionable steps to maintain compliance. In this webinar, our Director of Regulatory Compliance, Mark Hinely, discusses the next steps your organization can take after you’ve identified your compliance requirements and will provide you with general principles that apply to any privacy program to help you improve your internal accountability processes.

Getting Over the Burnout of Pursuing Compliance

Pursuing compliance is a tedious task – one that often leaves organizations feeling burned out and reluctant to continue monitoring compliance efforts. Organizations need to recognize that compliance should be a cycle rather than a linear function. Achieving compliance isn’t a one-and-done process; it’s something that must be continuously reviewed and monitored. Threats are constantly evolving and requirements are frequently updated. If your organization neglects to monitor your compliance efforts, you’ll put yourself at risk for incurring steep fines and penalties, damaging your reputation, and putting your business continuity at risk.

What are Actual Internal Accountability Activities?

Monitoring and auditing are two internal accountability activities that organizations should use ensure compliance. These activities should be scheduled based on threats and vulnerabilities, likelihood of exploitation, and/or significance of exploitation. Generally, monitoring is going to occur much more frequently because it requires far less time than auditing. Auditing, on the other hand, is generally less frequent because it covers a larger time period, it’s performed by staff outside of the processing activities, and it requires the time commitment of independent testing. To get the most out of these two internal accountability activities, organizations must also be sure to use proper documentation, effective reporting, and implement corrective actions.

All organizations are responsible for ensuring compliance. In fact, many new data privacy laws, such as GDPR, PIPEDA, and CCPA, require internal accountability. To learn more about the processes your organization should have in place to ensure that you’re properly monitoring your compliance efforts, download the full webinar. For more information on how KirkpatrickPrice can assist you with monitoring your compliance, contact us today.