What Happens in Vegas Doesn’t Always Stay in Vegas: Is Your Data Being Protected?

What do cities like Las Vegas, Atlantic City, Monte Carlo, and Macau all have in common? They’re some of the most lucrative cities in the world for gambling, which means that they all are at risk for data breaches. Whether it’s the casinos themselves or the hotels connected to the casinos, there are sensitive assets to be stolen. Let’s take a look at why the gaming industry is at such a high-risk for data breaches and how your business can prepare.

Threats to the Gaming Industry

The gaming industry has earned a reputation for strict, effective physical security, but what about cybersecurity? What data is being collected about players? How is it being stored? Who is protecting that data? Many people visit casinos because there’s a certain level of privacy that’s widely expected and provided; players feel that they can gamble and enjoy the allure of casinos without their identity being compromised. However, malicious hackers have no regard for privacy and will do everything they can to compromise sensitive data. Consider the following, for example. If a casino is connected to a hotel, what would happen if the networks weren’t segmented properly? A hacker may have found a way into the casino’s gaming network. From there, they could have access to the security cameras, ability to manipulate odds, see payout information for each machine, alter rewards information, or worse. Not to mention, because casinos are often connected to hotels, restaurants, bars, and retail stores, they’re introduced to even more cyber threats. Point-of-sale systems, ATM machines, employees – they’re all vulnerable.

Staying Protected in the Gaming Industry

We know that the large amounts of sensitive data, especially financial information, available at casinos makes them that much more susceptible to cyber attacks. That’s why securing the sensitive data of players is critical to ensuring the longevity of the casino industry. If players can’t expect their data to be protected or they feel that they’re at risk to be exposed, why would they continue gambling at your location? In order to secure the data that fuels the casino industry, there’s a few proactive steps that casinos can implement.

  1. Penetration Testing: Penetration testing, or ethical hacking, gives organizations insights into their security posture by showing them their security strengths and weaknesses through simulated yet real-word exercises. This means that organizations are then able to risk-rank security vulnerabilities and remediate accordingly, potentially preventing cyber attacks before they happen.
  2. Security Awareness Training: Like with all industries, employees pose one of the biggest threats to security at casinos. Whether it’s a blackjack dealer, bartender, or front desk receptionist, all employees are at risk for falling for cyber attacks. Implementing security awareness training for casino personnel will help employees identify, report, and prevent attacks from occurring.
  3. Incident Response Plan Training: It’s only a matter of when, not if, cyber attacks will occur and casinos must be prepared. Having an effective incident response plan in place is critical but practicing that incident response plan is equally as important. When an attack occurs, the incident response plan must be executed flawlessly, because if not, there could be costly implications. Conducting regular incident response plan training should be a top priority among casinos.
  4. Cyber Insurance: Because the average cost of a data breach is upwards of $4 million, in the event that a data breach or security incident does occur, casinos and other gaming institutions would be wise to have a cyber insurance policy that covers first-party coverages, such as coverages directly impacting the casino as a result of a data breach like loss of sensitive data, and third-party coverages, such as claims of other parties impacted by a data breach.

Case Study: Hard Rock Hotel & Casino Las Vegas

Over the last few years, the Hard Rock Hotel & Casino Las Vegas experienced a series of data breaches caused by hackers gaining unauthorized POS network access and installing POS scraping malware. Payment card information, including cardholder names, credit card numbers, and CVV codes were stolen. Though each data breach in the series of security incidents was slightly different, they each underscore the necessity for casinos, and especially resorts with numerous amenities, to implement a robust cybersecurity program that segments each part of the resort from each other. In Hard Rock’s case, only the hotel portion of the resort was impacted during the first breach in 2015. In 2016, however, the entire resort was impacted by malware.

While casino heists and hacks are often portrayed in Hollywood films, there’s nothing fictional about the threat of cyber attacks to casinos. Malicious hackers are creative and cunning, and their attacks are only getting more sophisticated. If your organization is committed to remaining secure in the gaming industry, don’t gamble on cybersecurity. Contact us today to learn how our audit, penetration testing, and consulting services can help keep you and your players secure.

More Cybersecurity Resources

What is Cybersecurity?

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

7 Reasons Why You Need a Manual Penetration Test

Components of a Quality Penetration Test

Ohio Takes on Cybersecurity with the CyberOhio Initiative

The threat of a cyberattack is something all businesses must be cognizant of, but unfortunately, many are not. As it has become increasingly challenging to understand and implement cybersecurity best practices, states across the US are beginning to roll out cybersecurity initiatives aimed at helping businesses combat advancing cyber threats. While we’ve touched on the innovative cybersecurity initiatives like the ones that New York has implemented, Ohio is paving the way for state-sponsored cybersecurity initiatives with the CyberOhio initiative.

What is CyberOhio?

CyberOhio is a cybersecurity initiative spearheaded by Ohio’s Attorney General, Mike DeWine, implemented in August of last year. Similar to other cybersecurity initiatives of its kind, CyberOhio aims to help businesses defend themselves against the ever-changing threat landscape through three key areas: education, new data privacy legislation, and information sharing.

Education

When it comes to implementing cybersecurity best practices, education is key. If businesses aren’t aware of the threats they’re faced with, how can they prepare for an attack? How will they ensure that the data they hold remains secure? Ohio’s Attorney General recognizes this and, as part of CyberOhio, put an emphasis on educating businesses on cybersecurity threats and ways to mitigate them so that consumer information can remain protected. How do they do it? The Ohio Attorney General’s Office has partnered with local and small business chambers to host a cybersecurity basics course, where business owners and their employees can learn about common types of data breaches and how to prevent them.

New Data Privacy Legislation

Lawmakers and business owners are continuously recognizing the new, complex risks that come from doing business in cyberspace. That’s why so many states are moving towards creating their own data privacy laws, such as California’s Consumer Privacy Act (CCPA), and Ohio is no exception. As part of the CyberOhio initiative, Ohio Governor John Kasich signed Senate Bill No. 220, the Ohio Data Protection Act. This legislation makes Ohio the first state to enact a law that incentivizes businesses to implement a cybersecurity program by providing a safe harbor to businesses that do so.

The law clearly states that the Ohio Data Protection Act is not meant to be a minimum cybersecurity standard that must be achieved by businesses in Ohio. Unlike other states’ cybersecurity laws (like New York’s regulation for financial services companies), the Ohio State Data Protection Act is voluntary. It gives businesses a reason to be proactive with their cybersecurity program instead of introducing additional regulations required of them to follow.

Information Sharing

Staying ahead of cybersecurity threats requires a joint effort from government officials, businesses, and community members. As part of CyberOhio, a focus was placed on information sharing because it will help all businesses in Ohio stay abreast of the threats they’re facing. In fact, many smaller organizations have formed throughout the state of Ohio to band together to combat cybersecurity risks. The Northeast CyberConsortium (NEOCC), Columbus Collaboratory, and the Ohio Cyber Collaboration Committee (OC3) all seek to find ways to research and find solutions to the growing cyber threats, develop a stronger cybersecurity infrastructure, and educate individuals so that they’re prepared to enter the cybersecurity workforce and implement cybersecurity best practices.

By creating and implementing cybersecurity initiatives like CyberOhio, businesses are empowered to work together to decrease the likelihood of a cyberattack, making the community a safer place for business owners, their customers, and the data shared between them. If you’re looking to learn more about cybersecurity initiatives in your state or would like more information about how you can implement cybersecurity best practices at your organization, contact us today.

More Cybersecurity Resources

What is Cybersecurity?

How to Lead a Cybersecurity Initiative

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

5 Information Security Considerations to Make Your Startup Successful

From Silicon Valley to Times Square, startups of all kinds are popping up all over the United States and beyond. It’s easy for the founders to put all of their resources into starting the business and taking it to market, but what happens when the data that fuels that startup is breached? What happens when an immature information security program causes that startup to fail?

What Makes a Startup Successful?

There’s a lot that goes into making a startup successful – a great idea, strong leaders, a solid business model, investors, and grit – but there’s even more that factors into scaling a startup. In fact, there’s one key component to making a startup successful that’s often neglected: a robust information security program. In today’s age, information security is one of the top concerns of organizations because they know that it’s only a matter of when, not if, a cybersecurity attack will affect their business. Unfortunately, not all startups recognize how pervasive the current threat landscape is, or they don’t even know where to begin with implementing an information security program. In order for a startup to be truly successful, there needs to be a robust information security program created from the start. What should it include? We believe that there’s five key considerations that organizations must keep in mind when creating their information security program.

1. Get Executives on Board with Information Security from the Start

We often discuss the importance of implementing a culture of compliance from the start of your business, and this is especially true for startups. Why? Because a startup is usually made up of very few members and often does not include IT personnel. This means that for startups, it’s even more important that executives understand and acknowledge the importance of implementing a robust information security program; they need to make it a shared responsibility to design business processes and systems with security controls in mind from the start.

2. Know Your Assets

The value of having a robust information security program comes down to protecting your organization’s valuable assets. For startups, this should really hit home. It’s hard enough getting a company off of the ground, so what would happen if six months into launching, a breach occurred or a physical device containing your company’s data was stolen? It’s happened before and it will happen again. Knowing what assets you have and how much they’re worth to you will help you risk-rank which assets need to protected first.

3. Implement Information Security Basics

Almost all organizations use some form of technology to carry out their business processes, and startups are no different. In fact, most startups have mobile or web applications that are just as likely to be hacked or targeted as Fortune 500 companies. That’s why startups need to implement information security basics, such as firewall configurations, network access controls, antivirus software, password policies, and MFA, to mitigate the risk of malware attacks, DDoS attacks, API disruption, and the plethora of other cybersecurity threats startups are faced with.

4. Educate Your Employees

Employees are often thought of as the weakest link at any organization. Because of the limited number of personnel at a startup, focusing on security awareness training might not seem necessary, but that couldn’t be further from the truth. Every single person working at your startup needs to know how they could unintentionally compromise your organization by falling for phishing attempts, using bad passwords, or just not following policies. Whether your startup has a team of two or thirty, investing in security awareness training from the beginning reinforces a culture of compliance and helps mitigate the risk of human error causing a security incident.

5. Establish Physical Security Controls

Another focal point startups must keep in mind is establishing physical security controls. Many times, startups work out of incubators or coworking spaces, but these environments might not always have the most secure physical security controls in place to keep their assets protected. Let’s say that a startup is based out of a coworking space – what physical controls are in place to protect your assets? Does the coworking space have security cameras? Do they have badges, key fobs/cards, biometric access controls, security guards, and/or receptionists? There’s no telling who could enter a coworking space and gain unauthorized access to your sensitive assets, so establishing physical security controls needs to be a top priority.

Malicious hackers don’t discriminate against startups. If there’s sensitive data to access, they’re going to find a way to get their hands on it. That’s why investing in a robust information security program from the start is so worthwhile: security incidents can cause outages in critical services and operations, ruin your reputation, and cause your business to fail before it even takes off. It’s every entrepreneur’s dream to see their business succeed – don’t let an immature information security program keep you from achieving that. As a firm that started out small, we know what it takes to grow a business and we’re dedicated to helping you do just that. Contact us today to learn more about how KirkpatrickPrice can help you implement a robust information security program for your startup.

More Resources

6 Information Security Basics Your Organization Needs to Implement

Getting Executives On Board with Information Security Needs

Getting the Most Out of Your Information Security and Cybersecurity Programs in 2019

Web Application Vulnerability Leads to Compromised Data

Georgia Tech Data Breach

Last week, Georgia Tech announced a vulnerability in a web application that compromised 1.3 million individuals’ information, spanning from current students to alumni to employees. The vulnerability allowed unauthorized, third party access to a central Georgia Tech database. The university hasn’t released many details yet, but we do know the basics of the incident.

The Georgia Tech data breach was found in late March but the impact has been traced back to December. The vulnerability in the web application has been patched, and they are looking for any additional, unknown vulnerabilities. The university’s cybersecurity team is now conducting a forensic investigation to find out how this breach happened, especially since it’s the second breach within a year. In 2018, 8,000 Georgia Tech College of Computing students’ information was emailed to the wrong recipients because of human error.

Cybersecurity Risks in Higher Education

The Georgia Tech data breach proves, once again, that any organization can be compromised. Even a university with a leading computing program and the top cybersecurity talent can be impacted by a data breach. Georgia Tech’s relationship with technology companies and the government probably made the university an even more attractive to a target.

A data breach in the education industry costs $166 per capita, according to the Ponemon Institute. Institutions of higher education can be targeted for personally identifiable information, research, payroll information, Social Security Numbers, or for other critical assets. Most cybersecurity attacks are a matter of when it will happen to you, not if it will happen to you. The Georgia Tech data breach isn’t the first time a university has been targeted, and it won’t be the last. Is your institution doing everything it can to protect itself from attacks?

Security of Web Applications

Web applications are unique constructs, mixing various forms of technology and providing an interactive front for others to use. Some web applications are made public, while others might be internal applications existing on an intranet. No matter the location, web applications play critical functions and are susceptible to many cyber threats, as we see with the Georgia Tech data breach. To mitigate risk, web applications need to be thoroughly tested for application logic flaws, forced browsing, access controls, cookie manipulation, horizontal escalation and vertical escalation, insecure server configuration, source code disclosure, and URL manipulation, among other tests.

At KirkpatrickPrice, we want to find the gaps in your web applications’ security before an attacker does. For this reason, we offer advanced, web application penetration testing. Contact us today to learn more about how our services can help secure your web applications.

More Assurance Resources

How Can Penetration Testing Protect Your Assets?

Ransomware Alert: Lessons Learned from the City of Atlanta

Why is Ransomware Successful?

Top Cybersecurity Challenges for the Hospitality Industry

The hospitality industry needs personal data to be successful – but that comes with a price. If you’re collecting or processing personal data, you’re responsible for securing it. The hospitality industry relies on the feeling of being secure, in every aspect of guests’ visits. Organizations within the hospitality must consider why they’re a target for cybersecurity attacks, which data privacy and security frameworks and regulations apply to them, and what challenges they will face.

Data Collection

The more details that a hotel or a travel agency knows about guests, the better – right? It can provide a more personalized experience, hopefully making a loyal client. Plus, some data is needed for booking or payment purposes, like cardholder data, passport numbers, driver’s license information, or rewards numbers. Every business has an asset that they can’t bear to lose, and for the hospitality industry, that asset is personal data. Every day, the hospitality industry is expanding the ways they collect personal data.

Data collection inherently makes the hospitality industry a target for hackers and cyber attacks. For local hotel chains or bed and breakfasts, it may not seem like the amount of personal data collected would be significant. For worldwide chains, though, like Wyndham, Marriott, or Hilton, their data is their biggest asset. When Marriott’s guest reservation database was breached, the names, mailing addresses, phone numbers, email addresses, passport numbers, rewards account information, dates of birth, gender, arrival and departure information, reservation dates, communication preferences, and encrypted payment card numbers of up to 383 million guests were compromised – making it one of the largest known thefts of personal records in history.

Interconnected Technology

Because hotel and resort chains span countries and continents and hold things like gift shops, restaurants, and bars, it makes them an ever more lucrative target for hackers. If a hacker can get into just one location’s gift shop or front-desk system, they can access a whole lot more. We rarely see a cyber attack sticking to one location. If a hotel is connected to casino, both could be compromised. If a restaurant is connected to a resort, both could be compromised. The list goes on and one. In 2016, malware was installed on the payment card processers of restaurants at hotels managed by InterContinental Hotels Group (IHG), impacting 1,000 hotels. Where are the places in your organization that are connected to something bigger, something that would attract a hacker?

Vendor Risk

Every vendor relationship poses some level of risk, but especially in the hospitality industry. Instead of directly hacking a resort, casino, or travel agency, a hacker can attack one of their vendors as a route to get to them.

Sabre Hospitality Solutions provides a third-party reservation system to hotel companies like Hard Rock Hotels & Casinos, Four Seasons Hotels and Resorts, Trump Hotels, and Loews Hotels. In 2017, when Sabre’s SynXis Central Reservations system was breached, so were these companies. Hard Rock reported 11 properties worldwide were impacted by the breach, Trump Hotels reported 14, and Loews Hotels reported 21. When you enter into a relationship with a vendor, you accept the risks that they bring you. The amount of vendors that the hospitality industry interacts with – from security cameras to point-of-sale systems – poses a real cybersecurity challenge for protecting personal data. What do you do to ensure you partner with secure vendors?

Customer Service

There’s always a human element to hospitality – and cybersecurity is no different. When a breach involves insiders, one in five times it’s due to human error. With the rise of BYOD policies, phishing attempts, and the inherent need to accommodate guests, your employees must be aware that cybersecurity is everyone’s job.

There are so many elements that go into securing personal data – information security frameworks, security and privacy regulations, information security programs. Even when you are breached, you must respond in the appropriate way; Hilton was fined $700,000 for mishandling 2014 and 2015 data breaches. If you need help deciding whether or not the personal data you collect is secure, contact us today.

More Assurance Resources

How Can Penetration Testing Protect Your Assets?

Auditor Insights: Where to Start with GDPR Compliance

HITRUST® Across Industries: Where the HITRUST CSF® v9.2 is Headed