by
Lynn Goodendorf
Mar 1, 2021

Making Hard Decisions in Cybersecurity

No one wants to consider making cost cuts to a cybersecurity program because the threats are continuing and changing. However, the current reality for many companies in the hospitality industry is that spending needs to be reduced in all categories. The expense for cybersecurity can be conserved with a well thought out risk-based approach and acknowledgement that there will be a calculated increase in risk.

Making Hard Decisions in Cybersecurity

by
Lynn Goodendorf
Mar 1, 2021
Security
Share

No one wants to consider making cost cuts to a cybersecurity program because the threats are continuing and changing. However, the current reality for many companies in the hospitality industry is that spending needs to be reduced in all categories. The expense for cybersecurity can be conserved with a well thought out risk-based approach and acknowledgement that there will be a calculated increase in risk.

We must embrace the idea that mitigating risk to an accepted level is the aim and be in a position to move quickly when incidents occur. Even with a robust cybersecurity program, it is unrealistic to think that no incidents will happen. We can expect effective mitigation measures to reduce severity and magnitude.   To help companies who are faced with this difficult situation, there are proven and recommended steps that follow best practices in cybersecurity fundamentals. The place to start is to prioritize what needs to be kept and possibly improved with more focus and diligence.

The key areas to sustain and consider strengthening include:

  • Vulnerability Management
  • Access Controls
  • Anti-malware Defenses
  • Third-party Risk Assessments
  • Incident Planning, Preparedness and Response

Vulnerability Management  

As a first priority, begin with thorough software patch management and keeping up with software updates. The reason this is so important is that all cyber-attacks need an unpatched vulnerability or outdated (unsupported) software version to be able to work. The first step malicious attackers take in their planning is to run scans and identify opportunities in these areas. If unpatched items are identified quickly and resolved, it is very hard for an attacker to be successful.  

The effort required for the patch management process is often underestimated. The first challenge is that there are hundreds of patches published monthly multiplied by the number of all “computing devices” such as laptops, PCs, tablets, servers, etc.  And patches are needed on web browsers and all types of software.  Another challenge is that once a patch is published, all potential attackers know about the vulnerability, so there is no time to waste in this process. Finally, to make this task more difficult to accomplish, patches often do not correctly apply when they are automatically distributed. There are many reasons for this, but it has become a necessity to have a scanning tool to find where patches are missing.    

Auditors may only look for monthly or quarterly patching of high priority only vulnerabilities, but if your plan is to trim back your cybersecurity, scanning and patching needs to be done weekly and all patches made.  All end users can help support this effort by setting their devices to auto update on every device.

Access Controls  

The next fundamental area to defend is to be attentive to access controls, particularly passwords or login credentials. Automated hacking tools can identify a password in a few minutes or less. Lengthier and more complex passwords take longer to hack, but the sad truth is that all passwords can be compromised. Most people struggle with creating and remembering passwords so that having multiple passwords is overwhelming. The best approach is to assign each person who uses technology their own individual password manager which is money well spent.  

Along with a password manager, use of a two-factor login feature will make it very difficult for accounts to be compromised. Two-factor logins will send a unique code to a cell phone, email, etc. which must be entered to gain access.  The scope of implementation can vary.  At a minimum, make sure that IT system administrators and anyone working remotely have a two-factor feature. Ideally, provision two-factor logins to all internal technology users and to all guest websites where confidential information is stored.    

Another essential access control is to deploy and maintain firewalls. There are different types of firewalls depending on the IT architecture you have and they range from very basic to sophisticated feature, but they all serve the purpose of blocking or permitting incoming and outgoing connections to the Internet using a set of rules. Make sure that you not only have firewalls appropriate to your needs but that you also have a qualified person to make ongoing changes and manage firewall maintenance requirements.

Malware Defenses

Malware continues to be a significant threat especially in the hospitality industry and is used for ransomware and theft of personal data. There are numerous entry points and methods for malware to infiltrate a system.  Anti-virus protection is essential. For stronger protection, an advanced application whitelisting tool will block malware, ransomware and zero-day viruses. This type of technology also provides protection from attacks that use a strategy called “Living off the Land” (LotL) where a malicious hacker gains unauthorized access and then explores the environment using existing software utilities and applications to carry out an attack.

Third-Party Risk Assessments  

In 2020, the cybersecurity world was stunned by a wide scale global attack that used a trusted software system for day-to-day IT operations. This emphasizes the need to step up attention to managing third-party risks. And with the rapid growth of cloud-based applications from third parties, this is more critical than ever before.    

Experience has shown that it is not effective to send security questionnaires to third parties, and any security risk assessment tends to fail if a new contract or renewal does not require security approval first. Approaches that tend to work as contractual requirements include the following:

  • “Pen testing” is performed on third-party software. Network pen testing is performed on access controls provided by the vendor. These tests should be carried out annually or whenever there is a major change such as a new software version, new system, etc.      
  • Require audit reports or certifications such as ISO 27001 and a PCI Attestation of Compliance (AOC). Cloud providers can provide proof of registration with the Security, Trust, Assurance and Risk registry (STAR) published by the Cloud Security Alliance (www.cloudsecurityalliance.org).  

A well-managed, risk-based approach will position an organization so that incidents that occur will be minor, but the “fire station” must be prepared to roll out and respond to any size or type of incident.

Incident Planning, Preparedness & Response  

Training and review of the plans including specific scenarios can equip senior executives and all employees to handle a serious situation well. Common pitfalls are in the areas of communication including:

  • Employees failing to report indications of an incident
  • Failing to notify insurance carriers early which may be a requirement for coverage
  • Failing to alert legal counsel immediately to establish privileged communications
  • Mismanaging messaging to customers, employees and the public

System backups and other related IT recovery processes and procedures are vital to being prepared for an incident. Simple information documents with home or alternate contact details of people needed in a response can make a difference in acting quickly and if normal communication channels are unavailable or compromised.    

Overall, these are the mitigation measures that should be prioritized along with the people who know how to manage these processes and use the technology tools. Much of this effort is not sophisticated or onerous. The critical success factor is to not let any of these security measures lapse.

Lynn Goodendorf is a cybersecurity expert whose previous roles include group information security officer with the Mandarin Oriental Hotel Group and corporate risk and chief privacy officer with IHG. She currently serves as vice president of the Information Systems Security Association's (ISSA) Metro Atlanta chapter.

ARTICLES BY THE SAME AUTHOR

Let's Get Digital

7 Questions to Ask Before You Invest in a Hotel Mobile App

DOWNLOAD

Make a Better PMS Choice!

Not all properties are ready for PMS in the cloud. The good news is, at Agilysys it’s your choice on your timing. State-of-the-art leading PMS in the cloud or on-premise PMS. Either way we say YES.

DOWNLOAD