How much is your data worth?

Will Burton, Senior Associate at Anquan Limited explains why it is essential the hospitality industry is prepared for significant data breaches.

“Security is not a dirty word Blackadder!”

Since 2015 there have been at least 16 known major cyber attacks in the hospitality sector.  Companies such as Intercontinental, Marriott, Hilton, Starwood and the Mandarin Oriental have been affected and many more have gone unreported.

The EU Government Data Protection Regulation (GDPR) comes into force in May 2018 allowing the Information Commission’s Office (ICO) to fine UK companies up to 4% of their global annual turnover or £18m, whichever is the greater, for every data breach that occurs.

Major incidents such as the WannaCry and NotPetya ransomware attacks and breaches at Target, Home Depot, Sony and Tesco Bank forced the hidden world of cybersecurity into the mainstream.

Data protection is a serious issue for the hotel sector. Although incidents involving large hotel groups are most likely to reach the press, data breaches can happen in any hotel, regardless of size. If management and owners are not taking appropriate steps, a data breach is likely to occur at some point.

A standard data set within a hotel database typically contains details such as names, addresses, dates of birth and credit card details such information can be used to carry out credit card fraud making them agreeable targets for hackers.

In a recent survey by cyber security company CarbonBlack, 70% of respondents said they would potentially stop using a company following a data breach. Consequently, the impact to a business is likely to extend well beyond a fine.

It is no good reacting after an attack happens. Organisations need to review their data security policies and general IT requirements now.

In 2015 Synack, a cyber security company set up by two former NSA engineers, set up a ‘honeypot’ experiment which consisted of a computer server connected to the internet and nothing else. Within five minutes they registered unauthorised login attempts and over a 24 hour period there were more than 99,000 recorded attempts to breach the server.

So in the face of such adversity what can be done? Clearly there should be robust IT systems in place to prevent data breaches and many of the larger hospitality companies will use IT providers who should ensure systems are properly maintained and promptly updated. For those who don’t a fine of €20m and the resulting bad press could easily be the death knell.

Some might argue that a typical hacker would be aiming to hit large organisations given the greater chance for financial gain. However viruses come in many shapes and sizes and by their very nature are able to pass across networks, infecting as many terminals as possible, so in attacking one system there may be significant collateral damage across other organisations as a result.

Awareness is probably the greatest hurdle to clear first. The government was recently criticised for running ten independent campaigns on cybersecurity awareness. The task is significant and while running these campaigns may not be the answer it does at least indicate there is a desire to build awareness of the threat by central government.

It is no good reacting after an attack happens. Organisations need to review their data security policies and general IT requirements now. Crisis response training for senior management teams is a good way to build a sensible plan in case of a major cyber incident. This way communications are planned and considered, which is fundamental in such a situation. The more that organisations can do to prove they have been responsible will help them in the event of an ICO investigation following a breach.

This is not a world that is removed from normal business any more – companies need to improve their working practices in the context of cybersecurity. This could help level a dangerous playing field that seems to be weighted, at this stage, in favour of the attacker.