The Misconception of Cyber Security
This week EP held a stimulating breakfast session on the importance of cyber security and why the hospitality industry needs to be prepared.
The event, which took place at The Royal Institution of Great Britain, was kindly sponsored by IndiCater who strongly want to support this essential area.
Security expert Will Burton, from Anquan, was the main speaker for the session which included breakfast and networking. Anquan is a specialist firm dedicated to addressing the challenges of security and defence in a connected world. The greatest challenge now in any industry is awareness and training and companies need to be proactive in telling their staff what to be aware of. The government has been criticised for having ten different awareness campaigns which means the message is mixed and often ignored.
Will, began the discussion by explaining the various ways in which companies can be at risk from a cyber attack. He explained that records and data are often the first layer of attack and it can be that this data is then sold on to parties wishing to steal from bank accounts directly.
Will also introduced the technique of Footprinting which is the name for the method of gathering as much information about the target as possible. Open source intelligence sources such as LinkedIn being just one possible area of sourcing the key information needed for an attack.
Will went on to explain Spear Phishing – an email spoofing attack. We may all argue we are aware of these but it is surprising to discover how many companies have been caught out, particularly on Friday afternoons when their guard is down.
There are many ways a business can be targeted and the hospitality industry must be prepared given the amount of data that companies can hold. The industry is susceptible to cyber attacks and companies need to protect themselves. In today’s world, there is no excuse for not being ready and protected. It is not just the big players but companies of all sizes that are targeted.
IndiCater, whose software supports hospitality businesses, are keen to support this area, especially in light of the EU Government Data Protection Regulation (GDPR) coming into force on the 25th May 2018.
This complex set of regulations will mean businesses must report all data breaches – these can range from small instances such as leaving a memory stick on a train to more serious attacks. Anquan highlighted the importance of getting cyber insurance for those who do not have it.
Many hacks exploit the human elements within organisations and so it is possible, with training and awareness, to mitigate some of the threats without the need to spend enormous sums on technology. Additionally third party solutions such as EPOS systems have been attacked on several occasions with hackers seeking to harvest customer data across a number of organisations – a notable recent example being the attack on the Sabre software system.
It was felt from the room that many businesses have suffered attacks as a result of not being prepared but have kept the news secret in a bid to ensure their reputation remains intact. Anquan argued that we know of at least 16 major data breaches in the hospitality industry since 2015 including Intercontinental, Marriott, Hilton, Starwood and the Mandarin Oriental.
The breakfast session was held at the RI (The Royal Institution of Great Britain) known for its devotion to scientific education and research. The venue provides the perfect location for events and delicious catering.
Changing people’s mindsets is what is required to ensure they understand the threats that are faced. Other questions raised during the session were how should employees treat their social media channels? But also, how can businesses control them anyway – are they personal or business?
An important point was made that this is not a scaremongering exercise and is a real threat. A comment made during the morning was in 2015 around $158bn was stolen through cyber crime and you are 20 times more likely to be hacked than mugged.
The question was posed to the room, who currently feels comfortable and prepared? Only one person said they felt personally ready and that was only because they pay a software company a fee to provide them with relevant data on their personal risk profile.
The key takeaway from the engaging session was that this is not a world that is removed from normal business any more – companies simply need to improve their working practices in the context of cyber security and work with security professionals to build a cyber crisis response plan so that in the event of an attack they can keep their business running.