Seeing headlines about yet another hotel hacked have become commonplace and statistics are looking grim. A staggering 64% of US citizens have already had to deal with stolen data. Hotel phishing has become way too common.
Hotels are the perfect targets due to the amount of sensitive data they are processing each day and the tech they are using. Lots of high profile breaches that have happened lately signal that many of them do not have the right cybersecurity solutions in place.
What’s even more worrisome, 56% of those breaches weren’t discovered for months!
Avoiding attempts of such scams is impossible, but lowering the risk of becoming a victim is. Here are five ways to detect and avoid phishing scams.
#1 Staff Training
Hotels often skip cybersecurity training because they wish to invest in other areas, yet a single successful phishing scam can lead to a breach that will tank their reputation and customer trust, which results in high fines.
Because emails are the primary trajectory attackers are using for their hotel phishing scams, it’s important that your employees are able to recognise such scam attempts right away.
A single click is enough to infect the system. The same report from Verizon gives insight that internal actors were responsible for 34% of breaches. Every misclick will result in having your hotel hacked again and again.
Cybersecurity training for the hotel staff must be a top priority.
When staff members know how to detect a suspicious email, check the sender and double-check all domain names, the risk of them clicking on it becomes considerably lower.
#2 Have an External Mail Warning System
Creating a hotel phishing email is easier than ever, as people are more than willing to share their personal information online.
A well-constructed phishing email can look like a genuine company email from a well-known staff member.
An external email warning system helps identify suspicious emails by displaying a warning when the email originates from an external source.
This will prompt the staff to double-check the sender and the actual address before opening the mail or clicking the link and report the suspicious email to the IT office.
Sandboxes are used to test links and attachments and execute them without risking the security of your network.
If the system detects malicious code or link, it will show a warning and remove the attachment/link so the user and systems stay safe.
#4 Keep Your Network Secure
Have antivirus, antispyware, and malware software on your network and all devices, as well as commercial firewalls.
Keeping your main network inaccessible to outside devices will reduce the vectors of attack.
Have a different network for your guests, and keep all personal IT devices from your staff on a separate network too.
#5 Stay Informed About Phishing Techniques & Have Procedures In Place
New phishing scams appear all the time, so make sure your IT department follows all new developments closely. Ask them to regularly send internal newsletters on threats and distribute them to everyone.
Plus, make sure you have strict procedures in place when it comes to payments and authorising new transactions. For example, change of details must be confirmed by a vendor over the phone (rather than email), requests for money are escalated to a higher management level, and links aren’t clicked on unless they are expected.
Hotels Must Be Hypervigilant
The reason why so many hotels fall victim to hotel phishing attacks is the lack of updates to their systems, operations, and standards.
When coupled with lack of staff training and monitoring solutions, a data breach might already be in progress without them having the slightest clue about it.
Cybersecurity is an important topic for any business now. In the last 12 months, 32% of businesses experienced some sort of cyber attack or data breach. That means that every third business had to deal with a cyber-attack, according to the Cyber Security Breaches Survey 2019 by the UK Department for Digital, Culture, Media, and Sport. It goes without saying that every business should prepare for a ransomware attack and other types of cyber-attacks.
Keeping your assets secure against cyberthreats needs much more than installing firewalls and anti-virus software. Today’s cyber threats are sophisticated and use every possible loophole in your security settings to get access.While there are different types of attacks, ransomware is one of the most malicious attacks businesses have to deal with.
What’s a Ransomware Attack?
Ransomware is a type of attack where malicious software (malware) takes over a computer or whole systems and denies any type of access until you pay a ransom. The ransom demand usually requires payment in cryptocurrency like Bitcoin, as it’s impossible to trace it.
It is one of the most dangerous types of attacks, as it can stop a business dead in its tracks. In case the ransom is not paid, all data will be deleted from the system.
This is bad enough if it happens to an individual. Imagine this happening to your company – you will lose all business and operational data, and you’ll have to start all over again. Some businesses never recover.
Preparing for a Ransomware Attack
The bad news with ransomware attacks? It can happen to anyone, and once it does, there’s not much you can do.
But you can prepare for it. Here’s how:
Data backup should be your number one priority.
It can save you thousands and millions, but it has to be done right by protecting your data storage properly. Ransomware attacks are carefully executed and attackers will often have access to your systems for months before they attack.
Why? Because they want to make sure they hijack everything, including any possible backups you might have.
This is why you should keep backups on another location. It would be best to have backups in the cloud but also have at least one backup offline – completely disconnected from any network – as even cloud backups can sometimes be affected.
Make sure IT keeps all systems and software up to date.
Although updates are often a hassle, they exist for a reason. Most updates are released to take care of security vulnerabilities. When software and operating systems are not updated, you are basically inviting hackers to access your systems. Your IT department should ensure every device is up to date.
Start implementing user restrictions.
Not all of your employees need access to all your data. Ask your IT provider to implement user restrictions so that your employees have access only to data they need. In case they need more, they can request special and temporary access that is revoked as soon as they don’t need it anymore. This way, in case their accounts are compromised, the breach will be limited.
Invest in monitoring software.
You can get powerful software solutions that can monitor your whole systems for suspicious activity. This goes beyond the regular antivirus monitoring – it can monitor what users are doing, what data they are accessing, and alert you in case something is out of the ordinary.
Don’t forget about employee training.
No matter what type of security software and solutions you utilise, if your employees are not aware of best practices on cybersecurity, you’re always just one bad click away from a ransomware attack. Make sure your employees know how to spot suspicious email, and know that they should never click on the links in such emails or download attachments.
Work on your BYOD policies.
Many businesses, especially small- and medium-sized ones, often allow employees to bring their own devices (BYOD) to work. Without a good policy in place, however, this becomes a security issue.
If an employee brings an infected device and connects it to the same network, you’re looking at a possible spread of infection – and ransomware – to all other devices and the whole system. Because of this, any device connecting to your system should be up to date, have antivirus software, and be cleared by the IT department regularly. This goes for smartphones too.
First Steps After a Ransomware Attack
1. Take a photo of the note
This will help the IT determine what type of ransomware you’re dealing with.
2. Determine the extent of the attack
Your IT provider should be able to determine whether the ransomware has infected a single device, or if the infection is spreading through your network.
3. Isolate infected devices and disable sharing
All infected devices should be removed from the network to stop the spread. Any type of sharing that’s active should be shut off immediately.
4. Notify employees
Send an email to all employees so that they can report whether their devices are working. Those who can work can continue, but those affected can help in other areas while IT deals with the issue.
5. Let IT remove ransomware from infected devices
IT should scrub the devices that were infected completely. Sometimes, a local backup on the device can solve the issue, but oftentimes, even that will be unavailable.
6. Restore data from backups
Once you reinstall the operating systems, your IT can restore data on affected devices from a cloud or offline backup.
To Pay or Not to Pay?
If you’re not prepared and have no backups, you might be tempted to pay. Take this year’s ransomware attack on the City of Baltimore’s government. Their systems were infected by ransomware that stopped numerous important systems: ATMs, airports, even hospitals.
The attackers demanded the city pays about $76,000 in Bitcoin. The city refused to pay, only to realise many of their systems weren’t backed up. They lost huge amounts of data, and the attack ended up costing them $18 million.
It seems that in the case of Baltimore, it would have been much better if they simply paid the ransom. Well, not really.
You’re dealing with criminals. Even if the city paid the ransom, there’s no guarantee that they would have gotten the access back. If they did, they would have become a prime target for future attacks too, since they paid the ransom already. This is why it’s so important to prepare – it will minimise damages.
Everyone’s at risk of a ransomware attack. Preventing it is next to impossible, but preparing for it is more than possible. Your IT provider should back up your data regularly, and you should make sure your employees know how to spot suspicious phishing attacks. When you prepare for a ransomware attack properly, you can minimise the impact of such an attack and save you from monetary and reputation damage.
Data protection is more important than ever, but also much harder to achieve. It was fairly simple to previously protect data storage from hacking when it was only saved on-prem and there was limited access.
Today, data storage and access are more dispersed. Remote employees, cloud storage solutions, BYOD policies, and access via multiple devices from anywhere make data protection seem like an impossible goal.
It’s important to understand that a data breach is a business issue, not just an IT issue.
To make sure your company and customer data are safe, you will have to protect data storage from hacking attempts. The following data storage safety practices will help you achieve a high level of data security and compliance.
1. Use strong passwords
The most common way data storage is hacked are weak or shared passwords. You would ever store thousands of dollars behind a simple “0000” or “12345” password? No.
The data you are trying to protect is worth even more than that, so make sure that anyone with access to it has a strong, complex, and unique password.
Weak passwords are present in almost every organisation and can cost corporations millions in damages because of data breaches.
To avoid hacking attempts, have a proper password protocol in place. All passwords that provide access to data should have a minimum of 12 characters and shouldn’t be complete words.
Use a combination of upper- and lowercase letters, numbers, and symbols. The password should not have personal meaning – no names, addresses, dates, or anything that can be unearthed on social media.
Passwords should also be changed every 6 months.
2. Add Two-Factor Authentication
Additional authentication protocols should be a standard practice to protect data storage from hacking.
In case your first authentication layer – the usernames and passwords – end up in the wrong hands due to a successful phishing attack, the second layer of protection in the form of two-factor authentication (or multi-factor) will keep data safe from outside access.
The authentication server will prompt the user to input another security code after authenticating their credentials. The code is usually delivered via SMS, or via a phone authenticator app. Some services will also offer the code via phone call if supported.
3. Include Session Timeouts / Auto Disconnects
To battle forgotten login sessions that could potentially lead to a data breach because somebody else used the device, incorporate session timeout routines onto your data storage servers.
These routines will automatically disconnect the user from all inactive sessions.
For example, if the user accessed your data storage but has been idle for the last 15 minutes, they will be logged out. When they come back, they will be prompted to log back in again.
This security measure is especially valuable if your staff has access to data storage from shared, remote (and potentially unsafe) locations.
4. Use encryption for all documents and emails
Encryption helps protect data storage from hacking because in the event it ever falls into the wrong hands, they won’t be able to read it.
When you encrypt data, the data is translated into ciphertext that is just a string of random characters. The only way to make it readable again is to turn it back to its original form with the right encryption key.
The larger the key size, the more computational power is needed to crack it. The rule of thumb is to use encryption services that offer at least 256-bit encryption protocols.
In order to ensure you have encrypted all sensitive documents, you should use a data protection solution that covers data discovery and sharing. Microsoft’s Azure Information Protection is such a system, and can be used to discover all your data, apply labels that determine how sensitive data is, and then apply rules on data access. The system will find all locations where data is stored and help you migrate it to a safer, centralised location.
Because such systems also include email encryption, it also helps you keep data safe in case of mishaps. For example, if somebody accidentally sends an email with sensitive data to the wrong recipient, the recipient won’t be able to read the data without first having proper authorisation.
5. Limit Access to Data Storage
In order to protect data storage from hacking, you have to limit access to data to inside actors too.
The more people have access to sensitive and classified data, the higher the risk of data falling into the wrong hands.
Your employees should have access only to data that’s essential to their role in the company.
In case employees would need to access data occasionally, it’s better to have procedures in place that would authorise access to them temporarily rather than giving them unlimited access.
6. Use Safe Cloud Storage Solutions
Cloud storage solutions help you keep your data accessible at all times and is becoming the standard today. With so many employees working from remote locations and accessing data from multiple devices, it’s safe to say that there are many more vectors of attack.
To protect data storage from hacking but keep it accessible and online, try using a decentralised cloud.
It uses blockchain technology to keep data safe and such cloud storage is not controlled by a single entity and data is not stored on a centralised location. Instead, data is spread in tiny fragments across a large global network. When you need to access it, it will be assembled and decrypted as soon as you are authorised (either with an encryption key or password).
7. Educate Employees
You can invest in the best firewall, anti-spam, and antivirus software, but if your employees don’t know how to spot a potential threat, your attempt to protect data storage from hacking will ultimately fail.
Everyone in your company, be it the newest members of the team or senior executives, should go through regular education training. Ideally, they should learn about:
The latest threats and risks, and vectors of attack – Suspicious email attachments, phishing attempts, how to stop a spoofed email address, and more.
Best practices when it comes to data security – Teach them about BYOD policies, unsafe public networks, being safe while accessing data from remote locations, etc.
How to use new security software you implement – Get them on board with new software solutions and teach them how to use them to avoid slowdowns and disruptions.
Your data security is only as strong as the weakest link. What’s your weakest link?
You’d be amazed at how easy it is to create a secure password in 2019 and yet so many people don’t!
Despite the increasing efforts that many websites put into security precautions, it’s a two-way street and users need to catch up and take responsibility too. Weak passwords are still a common way to hack someone, even in 2019.
The National Cyber Security Centre released a list of the most common weak passwords found by analyzing data from 100 million passwords leaked in data breaches.
The top ten weakest passwords are the following:
Other noteworthy entries near the very top include things like “000000” and “Iloveyou.” The primary spot has been held by “123456” for years now, however.
A Secure Password in 2019 Should Be Complex, Unique, and Random
The above-mentioned passwords don’t even meet the minimum requirements of what’s considered a safe password nowadays. Today, truly secure passwords will have:
A mix of upper and lowercase letters
Don’t think for a second that such passwords are bulletproof. They can also be cracked if you aren’t careful with how you create them.
Creating a Secure Password in 2019
The following ten tips will help you create a truly secure password in 2019 and avoid the most common mistakes that lead to breaches.
Avoid simple passwords like the ones on the list above
The fastest way your account will be compromised is by setting a weak password. While it’s bothersome to use all these safety measures like mixing cases and special characters, it’s more irritating to try to cancel credit card payments you never made.
Don’t use simple to guess data
Avoid putting your name, the names of family members, or even the names of your pets because this is a sure fire way to become compromised in record time. Also, never use your username as a password too. That’s another easy guess.
An easy way to recycle a password safely is to switch for a designated number of spaces on the keyboard. For example, if your password was “ThiSisS3cuRe” (This is secure), you can instead use the keys that are one space to the left. Instead of “T” you would use “R” and so on. This will get you what seems like a completely random sequence: “RguSuaA2xzEw.” And yet, you will know how you got it.
Change passwords regularly
Many people experience a breach because they never change their passwords. Passwords get outdated quickly, and as time goes by, what was once considered complex can now easily be cracked and guessed.
Some services prompt you to change your password regularly, which is not a bad idea, but many users then choose a simple password to get it over with. That’s a bad practice, and however annoying you might find it, every password change should have a complex password.
Top Tip: Change your passwords every 6 months and set a reminder on your phone to do it so you don’t forget!
Use a different password for each account
Never use a master password for all your accounts. That increases risk in case of a breach. Imagine your business email or banking information is suddenly jeopardised because you used the same password as on some random and less secure site. Each account should have its own password.
Use randomly generated passwords
Google Lock has a password suggestion mode that offers you to create a randomly generated password instead of thinking of one yourself. This is a convenient service, but it can be hard to remember all such passwords without a system behind them.
Don’t write down passwords
You might find it convenient to write all your passwords on a piece of paper, or in a notepad. Be aware that any type of data that’s not encrypted is not safe. Usually, it’s considered okay for home users to write down passwords on a piece of paper so long as they are kept out of sight (and not taped to the computer!), but never do that at work, or you risk someone using your workstation for malicious intent.
Find a password manager that suits your needs
If you find it hard to remember all passwords, use a password manager. These are pieces of software that remembers all your passwords so you don’t have to. There are free and paid options available, and some are online, others are offline. Go through reviews to find the best deal for you.
The point to note here is that you’re storing all of your passwords in one place, so make sure you pick an encrypted system that is extra secure! if you don’t have enough passwords to use a system like this, it’s best to avoid!.
Develop your very own system to encrypt your passwords. One good way to do this is to have a sentence that will remind you of a password. For example, you have a pet cat and wish to base your password off of it. Instead of using your cat’s name mixed with a few numbers, use a sentence such as:
“My cat Garfield loves lasagna.” and then encrypt each part:
My cat Garfield = McG
Loves = <3
Lasagna = LsgnA
So your password will be “McG<3LsgnA”
Use two-factor authentication
Reduce the risk even more and use two-factor authentication in addition to having a strong password. On the off chance that somebody manages to crack your super complex password, two-factor authentication will keep them from doing anything else.
Such authentication is bound to a token or a phone app that generates a random string of (usually) six numbers that rotate every 60 seconds, which are unique to your account. Without this second step to prove it’s really you, hackers won’t be able to access your account at all.
Cybersecurity Rests on You Choosing a Secure Password in 2019
Computer crime is on the rise and cybercriminals are developing clever ways to get sensitive information. Social engineering attacks are the most elaborate types of attacks.
They are a specific hacking method where attackers present themselves as trusted sources or individuals. Their goal is getting the victims to break security procedures and share sensitive information – either personally identifiable information (PII), or usernames, passwords, government-issued IDs, and more.
The attackers can then either impersonate the victim or gain access to a computer and network systems, and even physical locations.
Social engineering hacks are complex and involve several steps.
The attackers will investigate its target and gather the information that will help them succeed; they are looking for the best attack method.
Then they work on gaining the trust of the target. They engage them, present a story, control interactions, and try to get the victim to break security protocol.
Once they get the information they need, they can execute the attack and then remove all traces and cover tracks.
The most successful social engineering hacks will end without the victim ever being aware of it or becoming suspicious about it.
The most well-known social engineering hack was probably the email scam from the Nigerian Prince that offered the recipients of the email monetary gain (in millions) if they help transfer money through their account, but to be eligible, they had to pay $10,000.
Social engineering is a common method used in cyberwarfare. It’s a gray area of many corporate giants and even spans across countries, with hackers being used for corporate espionage or working for the government in covert missions to swing the public opinion.
The most common types of attacks include:
Phishing – The attackers send emails or other types of messages digitally and present themselves as reputable individuals or companies. The objective is to get the victim to go to an infected site or to install malicious software on their device. The ultimate goal is to get personal information, financial info, passwords, and accounts. Whaling is a specific form of phishing that targets high ranking officials within the company to get access to the most sensitive information.
Pretexting – The attacker impersonates co-workers or authority figures like police officers or bank officials, and asks the victim questions that make it easy to confirm the victim’s identity.
Waterhole attacks – Attackers will carefully study their victims and pick websites that will be most beneficial for the attack. They will search for exploits in the sites, and inject malicious code to the site. When the victim visits the site, the code will install malware on the victim’s device.
These attacks are not limited to computers; mobile devices such as phones and tablets can easily be hacked too (often easier than computers), and mobile security should be addressed too since more than 30% of all attacks are targeting mobile.
Social Engineering Malicious Software Types
Hackers will use malware to successfully execute their attacks. Any type of software – program or file – that causes harm to the user or device is considered malware.
Malware can do numerous things, depending on how it was programmed. It can hijack a device, encrypt data, delete data, or monitor activity.
It’s most commonly delivered via phishing that takes users to infected sites or delivers infected email attachments.
Infected sites typically execute a drive-by download. This method doesn’t require a specific action from the user; the success relies on vulnerabilities of the operating system, browser, or app.
Viruses, trojans, worms, spyware are all part of malware.
Viruses are the most widely known type of malware. They are a piece of code with a goal to spread to as many systems as possible. The threat level of a virus is determined by how fast it spreads, but also by its payload.
A payload is that part of malicious attack that causes damage. Common payloads include data corruption or destruction. The highest threat comes from viruses that spread quickly and have a powerful payload. To ensure the payload is not detected by antivirus and antimalware software, attackers will often encrypt the malicious code.
A payload is executed by a logic bomb. Logic bombs, also called slag code, are written so that they cause harm in case certain conditions are met (or not met, depending on the programming). The conditions are often dates, times, data deletion, or executing an infected app.
Logic bombs can corrupt or delete data, or completely clear whole hard drives.
They are an integral part of ransomware. If the user doesn’t comply with the demands, they will remain locked out of their devices and usually lose everything they had on hard drives. Most often they are part of viruses, trojans, or worms.
If malware is downloaded without the user’s knowledge, it’s considered spyware. Any type of software downloaded and installed in that fashion falls into this category. Not all spyware is malicious, but it’s often abused for malicious goals: to get access to databases and steal sensitive information.
While it can be difficult to detect spyware, some indications that the device is infected are negative changes in computing power, speed, and in the case of mobile devices, battery drain.
Social Engineering Tools
Remote Access Tools
Rootkits form a collection of software tools that enable remote access to a device. These can be used for legitimate reasons like providing remote support and assistance, but more often they are used maliciously by hackers. Malicious rootkits are often masked within what appears to be legitimate software.
Once the user gives permission to install, the attackers get admin privileges on the device. A rootkit will contain malicious tools, including banking credential stealers, password stealers, keyloggers that record every keystroke in order to steal passwords, usernames and bank account data, antivirus disablers, and bots for distributed denial-of-service attacks.
A full disk encryption is usually enough to keep the system safe, unless attackers use bootkits. This specific type of rootkit infects the master boot record, subverts the boot process, and can successfully control the system after booting.
Web shells are used for remote access of web servers, its files, and system via a web browser. Attackers take full command and can use, change, delete, or upload files as they please. They are used to steal data or infect website visitors. They are often used in waterhole attacks.
Data Collection Tools
Screen scrapers can collect screen display data and display it on another. With this software, attackers can quickly collect everything someone has posted on social media and use that information to break into their accounts by posing as them.
A backdoor is a way to get access to a system or device that circumvents the usual security measures. Developers often leave backdoors in apps or operating systems in case they need to troubleshoot systems later. If attackers manage to locate such a backdoor, they will use it to bypass security and deliver malware. Some attackers might even install a backdoor themselves to deliver a virus.
Service Disruption Tools
Denial of service is a very common type of attack that’s used to prevent users from accessing services, devices or other resources. It can be used to attack networks, servers, or systems. The mechanism is to overload the focus of attack so it’s not possible to use it.
While many of these methods rely on getting access to devices, network security should not be forgotten. Some software tools are designed specifically to target vulnerabilities in networks.
Eavesdropping, also referred to as sniffing or snooping, is a type of attack that tries to steal information that’s being transferred over a network:
The attacker uses sniffing software on their own device to intercept communications and steal data.
Unsecured networks, such as public Wi-Fi, are perfect targets since so many devices connect to them.
Any device – computer, tablet, or smartphone – that is connected to the same network is vulnerable.
Why Are Social Engineering Attacks So Successful?
The basis of social engineering is psychological manipulation. Instead of relying solely on software vulnerabilities, social engineering relies on human error – that the victim will make a mistake and play right into the trap.
With so much information in the digital realm, internet security has become a crucial consideration not only for all businesses but for individuals too.
Since social engineering exploits rely on human error, it’s much harder for businesses to be completely secure from the threat.
Investing in computer security like antivirus software is not enough – one click from a single employee might be enough for attackers to gain access to all your systems.
The best thing businesses can do for their information security is to educate everyone about the latest security threats, the most common vectors of attack, and how to detect possible phishing attempts or infections.
With the right education, you will keep your emails and other sensitive business communications and data secure.
Cybersecurity is a vital part of every business that deals with any type of sensitive data. With online threats becoming more diverse every day, and the increasing regulations like GDPR. It is imperative that businesses stay on top of the latest cybersecurity developments for 2019.
Here are the most important things to consider when looking for ways to improve cybersecurity for businesses:
Hacking Is an Industry Now
Hacking has become a lucrative industry, with certain types of data being more valuable than others. Medical records, for example, are worth ten times more on average than credit card details.
Because there is so much money involved in hacking, it is not surprising that hackers are launching highly sophisticated attacks that are hard to detect and can be disruptive not only to normal business operations, but also to wider government-operated systems, like power grids for example. As such, hacking threats should be taken seriously, because a data breach can easily bring your business to a halt or end it altogether.
It’s Harder to Detect Breaches
Ponemon’s 2018 Cost of Data Breach Study states that it takes 197 days on average to detect a breach. After that, it takes another 69 days on average to contain a breach. This is a very long time for a breach to go undetected, costing businesses millions. For smaller companies, such a devastating breach could mean the end of their operations. Larger companies have an easier time to recover, but it still takes months or years.
Third-Party Apps and Vendors Are Common Vectors of Attack
With cloud computing being the new norm, it can be hard to confine sensitive data within an isolated data centre in your office. The majority of data today is stored in the cloud, with many businesses sharing data no only internally, but also to external third-party vendors or applications.
If these apps or vendors do not take adequate security precautions resulting in a data breach, the business can still be held accountable for the loss of sensitive data. Make sure then to check all third-party vendors your business deals with.
Data Protection Is More Important than Ever
Businesses who don’t invest in cybersecurity should be held accountable. It doesn’t really matter whether it was just an oversight or due to negligence – if the someone steals valuable data, there should be serious consequences.
Lawmakers are becoming aware that cybersecurity is an important aspect that needs to be regulated seriously. We are already seeing the adoption of stricter laws and regulations – the General Data Protection Regulation (GDPR) is just one of them.
Not only do such laws and regulations force businesses to improve their security, but they also help protect users against predatory practices like selling data to third parties without the user’s explicit consent.
Any business who is serious about what they do should have transparent data collection and usage policies. They should have adequate security and encryption for their data.
AI Helps Companies Protect Against Attacks
Advancements in AI and machine learning have made predictive analytics an ally against cyber attacks. Businesses have more overview of their real-time security than ever before. And predictive analysis helps them promptly detect anomalies in their operations. This is especially beneficial for the financial sector such as banks, and other businesses will reap the benefits as well.
As a business owner, you should be aware of the cyber threats lurking about. Know also that no target is too small for hackers. Make sure to update all your software regularly and educate your employees. Ensure that any third-party vendors or applications you deal with are taking cybersecurity seriously too.
Human interaction is the element that makes social networks so great, and businesses use it to connect with their user bases on an individual level. This human connection is also a vector used by hackers to get access to classified information, as well as access to internal networks and data. Such techniques are known as social engineering hacks.
Social engineering hacks is when hackers present themselves as trusted and friendly individuals or businesses to get their targets to disclose privileged and sensitive information. This tactic requires lots of research on the target to be successful, and the attack if often specifically aimed at individuals who have low-level access within their organisation, as this is enough to get access to everything else once they are in.
Research and reconnaissance include scanning the targets online behaviours and patterns, and social media accounts are a treasure trove of information. This is why it’s so important that all employees keep their social media accounts secure. The following seven tips will help keep social media accounts safe from hackers:
#1 Avoid Taking Part in the Things that Have Your Personal Details
Do you know all those various quizzes that “analyse” your social media account to tell you which “Game of Thrones” character are you most like, or tell you what kind of salad you are? How about some extensive personality tests that ask you to disclose super specific information about yourself to tell you what type of personality you are?
Always make sure to check what type of information you reveal and authorise access to. Many of them will require you to allow access to all your online images, your whole friend list, or your bio and personal information that might include phone numbers and emails. Only use such things if you can be 100% sure that the information you share will be used solely for marketing purposes and not compromise the security of your account.
Password strength is what makes or breaks the security of your social media accounts. First of all, make sure to use a strong password. The holy trinity of strong passwords is a combination of the following:
Lower- and uppercase letters
Have at least 8 or more characters in your password, and never use personal details and information like your kid’s names or birthdays in your passwords, as this makes access easier. To minimise the risk of being hacked, change your password regularly and never use the same password for multiple accounts. If you have trouble remembering all your passwords, use a trustworthy password manager instead.
Once something is on the web, it stays there forever. Your online behaviours can be tracked, and most people don’t think they are valid targets to be tracked online, so they will reveal too much on too many public places.
Imagine sharing your personal or work email, where you live, or images of your kids and your home to any stranger you meet on the street. It would be quite reckless, wouldn’t it? This is exactly what many people are doing online when they don’t think about their privacy settings and post publicly on their social media accounts.
When using Facebook or any other social media site, make sure to limit your posts and images to your friends only. If you wish to share something publicly, always ensure that it can’t be something used to get access to your accounts or to follow your actions online. Also be wary of friend requests from people you don’t know. Chances are, at least one of them might just be trying to get access to your information.
#4 Up Your Account Security
A strong password is just a first step towards a safer account. Wherever possible, use additional security in form of two- or multi-factor authentication (2FA or MFA) – they will ask you for an additional code that’s generated just for you once you type in your login credentials. This way, if someone manages to crack your password, they will not get any further because they won’t have the code they need.
#5 Use Quality Antivirus Software
Make sure to have good antivirus protection on your PC. Your antivirus must not only regularly scan your PC, but also monitor your online activity. Such suites will immediately let you know if there’s an infected link or attachment in your emails. It can also scan social media messages and quarantine it before you could click on it by mistake.
#6 Only Install Apps from Trusted Sources
Since there’s limited access to good antivirus software for mobile phones, stay safe by only installing apps from trusted sources. Examples of trusted sources are Google Play and Apple’s App Store. Apple, in particular, is very strict when it comes to what apps are allowed on their store. They do a full scan and inspection of every app before it can be approved and published in their store.
#7 Log Out of Devices and Close Old Accounts
If there are some accounts you are not using anymore, it doesn’t mean they are safe from hackers. Always close all old accounts you are not using anymore. This way, you make sure hackers don’t get access to them and use them without your knowledge.
Also, make sure to log in on trusted devices and on trusted networks only. Make it a point to log out of all your active sessions regularly. This will help those services recognise anomalies in your login patterns and detect a possible breach easier.
Have a proactive approach towards your social media security and you will be a very hard target for anyone trying to get access to your accounts. It will be a challenge for anyone to launch social engineering hacks against you.
Have more questions? Check out our Smiley Geeks IT Help Membership from only $69 a month!
Contrary to popular belief, the hospitality industry is an excellent target of cybercrime because of the sheer amount of personal and sensitive data held. In fact, there are several businesses that have already faced data breach fines.
Every day, hotels, hostels, and restaurant chains handle credit cards, emails, contact preferences, home addresses, and other sensitive data from millions of customers, and hackers want to get their hands on that information.
A data breach can go undetected for quite a long time, as some of the cases below demonstrate, which would only increase the GDPR fine nowadays!
Here are 6 hospitality businesses who have recently faced data breach fines, and the cybercrime that caused them.
Back in 2014, Hilton hotels were a victim of a data breach, followed by another breach during 2015, which resulted in the data loss of over 360,000 customers. The data that was stolen held sensitive information like credit card numbers, names, addresses, and more.
The biggest issue is that Hilton failed to inform its customers about the breach in a timely manner. It took them ten months after they learned about the breach to inform their customers. This resulted in a $700,000 fine for lack of adequate security and failing to inform customers about the breach. If this had happened recently, their fines would be much higher under GDPR – they would probably have to pay around $420 million.
Radisson Hotel Group faces fines under the newly adopted GDPR. The breach was discovered in 2018, with Radisson claiming to have promptly informed the EU regulators within the 72-hour timeline. It was detected in the Radisson Rewards database, and some members of their Rewards programs were compromised.
Apparently, credit card or passwords were not stolen. Stolen data included names, addresses, email addresses, company names, Rewards member numbers, and frequent flyer numbers. As a result, the hotel chain might be facing a €10 million fine.
Even Trump hotels aren’t spared of data breaches. The hotel chain suffered a data breach back in 2014 when over 70,000 credit card numbers and other personal data were stolen via the payment processing system that was infected. The now president Trump agreed to cover the $50,000 fine that was issued because the hotel chain didn’t bother to inform their customers about the breach even though they knew about it for months.
Restaurant chain Wendy’s had to pay a hefty fine because of the data breach that happened in 2015 and 2016 when 1,025 POS systems used at their locations were infected with malware that led to a lot of stolen credit card info. It is reported that over 18 million cards were compromised in the breach.
Many of these cards were used to commit fraudulent online purchases. As a result, Wendy’s had to face a class action lawsuit from affected financial institutions and consumers. Wendy’s reached a settlement that required them to pay $50 million by the end of 2019.
Zippy’s restaurant chain based in Hawaii suffered a data breach in November 2017. They first discovered the breach in March 2018. All cards used during that time might have been affected. The compromised information included credit card numbers, expiration dates, names, and security codes.
There is no information about how many customers were affected, but a class action lawsuit was filed against FCH Enterprises, the owner of Zippy’s Restaurant. It’s worth noting that not only the restaurant chain was affected. The other franchises held by FCH – Napoleon’s Bakery, Kahala Sushi, Pearl City Sushi, and Pomaika’i Ballrooms. FCH reached a settlement and agreed to pay $725,000.
Probably the case that got most traction is the large data breach that occurred with the Marriott hotel chain. Personal data and credit card details, even passport numbers and dates of birth of more than 500 million of their customers were stolen. The Marriott group includes hotel chains such as Sheraton, Westin, W, Le, Meridien.
The breach was first discovered in September 2018, while detailed investigation revealed ongoing unauthorized access dating back to 2014. They did encrypt sensitive data such as credit card information. However, the group stated they cannot be sure that encryption keys were not stolen too.
The most concerning part is that this was ongoing for four years, meaning security monitoring profoundly failed. The fine: $3.5 billion dollars plus $915 million from ICO GDPR.
With the rising risk of data breach and rising prices of fines, make sure you protect your customers’ sensitive data. This is especially true with the GDPR in place. By doing so, you avoid fines and ensure your guests rest easy knowing their personal information is safe with you.
The last several years have revealed that hospitality businesses are vulnerable to cyber attacks. Many major hospitality players being victims of cybercrime that was in some cases undetected for years. In a separate post, we have cited six hospitality businesses that faced data breach fines resulting from hospitality business hacking.
Hackers are becoming increasingly innovative in ways they gain access to secure hospitality systems. In contrast, the hospitality sector is lagging behind in security measures. Businesses often don’t treat cybersecurity as a priority but prefer to focus on customer experience only, which can have far-reaching consequences in case of a breach.
The most common factors that contribute to hospitality business hacking and data breaches include the following:
#1 The Number of People Involved
It is the nature of the hospitality industry that makes hospitality businesses such targets – there are so many customers and staff involved that hackers easily benefit from those numbers. Sooner or later, somebody will make a mistake and click on a malicious link delivered into their inbox from a spoofed email address, and that one click is often enough to get access to everything.
Once inside, hackers will easily find employee credentials to get access to sensitive information, such as customer names, emails, addresses, current residence, credit card information, loyalty programs and points, and more, and use all that information for monetary gain or to sell it on the dark web.
Another big issue that contributes to the high vulnerability of the hospitality sector is the current hospitality retention rates. Retention rate in the hospitality industry is quite low in comparison to averages or other industries. In the UK, the annual staff retention level is just over 70%, which is concerning since the average retention is usually around 85%. Not only are staff usually less interested in the long-term protection of the business, but frequent changes of users and passwords often leads to bad practices like sharing or logging in for each other.
#2 Unsecured Networks Result in Hospitality Business Hacking
One of the easiest ways hackers are able to access guest and employee data is through Wi-Fi networks that are poorly secured and unsecured. While it’s hard to make sure a Wi-Fi network is 100% secure against attacks, hospitality businesses can do a lot to minimise the risk.
First of all, a network should never be unsecured. While it might seem like a great perk – use your network easily without having to ask for a passcode – this also means that anyone can access it, hackers included. The passcode should always be complex to avoid hackers simply guessing it. Businesses should avoid setting up “12345” or the business name as the passcode.
In addition to the right encryption settings for all the networks, it’s important to separate them too. Guests should always have a separate network for all their devices. Sharing the same network for business devices and guest devices is a recipe for disaster. Some of your guests may not be as innocent as they appear. They may be accessing your internal systems and data whilst also enjoying your coffee.
#3 Lack of Understanding
Another fault of many businesses in the hospitality industry is their lack of understanding of cybersecurity. Hotels are now interconnected digital systems that compete for customers by introducing new digital experiences. As such complex systems, they have a large number of endpoints – like the above-mentioned Wi-Fi networks, but also HVAC systems, Points of Sale (PoS), electronic door locks, smart devices – through which customer data is accessed and stored.
It’s true that they do adopt new technology and software to streamline their operations. But their outdated security measures don’t cover new security threats. You see, each of the endpoints used can also be an entry point for hackers to steal data. Sometimes, it’s enough to delay updating your PoS system for hackers to get a successful entry.
Because hospitality businesses deal with such a large amount of sensitive data daily, it’s of utmost importance that they also understand the risks that come with the benefits of new software and tech solutions.
#4 Cybersecurity Isn’t Their Focus
Most hospitality businesses will agree that customer satisfaction and the overall experience with their brand is what matters most. The competition is fierce, and it’s very easy to lose customers. In their battle to retain customers, they will often prioritise to spend their money on user experience. As a result, they streamline all their internal operations towards this goal.
Providing a seamless experience in every single one of their locations require interconnection of all hotels from the same chain. For this reason, they are able to easily share their data on customers between locations. This way, the customer’s preferences when it comes to rooms and suites and other data that help make them feel welcome is accessible at any time, no matter which of their hotels the customer walks into. Such data sharing happens within the hotel chain national network, which all hotels have access to.
This interconnectedness can have far-reaching consequences – just one breach into a single hotel from the whole chain is enough for hackers to quickly gain access to their whole system and steal information from central data points.
#5 Lack of Education Lead to Hospitality Business Hacking
With a lack of understanding of why security systems are crucial for all the digital systems in the hospitality industry, cybersecurity is often put into the back seat. This, in turn, results in a severe lack of education for staff members and partners.
If employees working in hospitality do not know how to spot risks, the chances of hospitality business hacking skyrocket. Not all employees are tech-savvy or IT professionals. Some of them don’t know how to spot a phishing attempt. However, with the right training, you can greatly reduce the chances of being hacked.
The best approach here would be to have cybersecurity staff that will take proactive measures to keep all systems secure. Therefore, it’s not a bad idea to appoint a Chief Information Security Officer (CISO) who would oversee all security-related operations. The CISO ‘s responsibility includes setting up a plan in case a breach happens.
The Right Measures Help Detect a Breach Quickly
The hospitality industry will remain a high-risk target for cyber attacks, and there will always be a risk. However, taking the right countermeasures will minimise hospitality business hacking. This ensures that if a breach does happen, there are rules in place that will help detect it quickly. Consequently, businesses take the right course of action.
You’ve probably been in a situation where you desperately need an internet connection for your devices while you’re out and about. Most public places offer free internet. Public Wi-Fi, however, is risky business, and it’s best to avoid it.
The Risk of Public Wi-Fi
Coffee shops, airports, hotels, and restaurants offer their Wi-Fi without a second thought, but most lack proper security measures. Those networks are often the prime spots for hackers to execute their attacks and get access to sensitive information or spread malware. One of the most concerning ways they do this is with a device called Wi-Fi Pineapple.
Primarily, Wi-Fi Pineapple is used by companies specialised for penetration testing networks of various businesses. Even though the original use of the device is to audit wireless networks and test for vulnerabilities, hackers realised they could use it too.
How Hackers Use Wi-Fi Pineapple
Because Pineapple is so cheap (the whole kit costs about $100/£75), hackers use it to get access to sensitive information or spread malware.
They set it up as a fake Wi-Fi hotspot (known as a rogue access point –rogue AP), which enables them to do an attack called “Man-in-the-Middle” (MitM).
They fake a network SSID (name) that sounds reputable, like a hotel name, by changing one letter in the name, and then wait for unsuspecting users to connect their devices.
Once connected, they will intercept all communication between devices and the web.
Another way they can get your device to connect automatically is to spoof the SSIDs saved by your device.
When you have Wi-Fi on, your device will actively scan the surrounding for networks that you have saved and enabled auto-connect.
Your device does this by actually broadcasting the SSID of all saved networks.
Wi-Fi Pineapple can read those broadcasts, rename its SSID to match one of your saved networks, and your device will automatically connect to it.
It’s always better to tether your internet connection from your phone to avoid those risks.
Advantages and Disadvantages of Tethering Your Internet
Tethering is easy to set up –basically, you use your phone’s data plan to get an internet connection. It can be done via Wi-Fi, Bluetooth, or USB.
Advantages of Tethering
Safer than using public Wi-Fi
Your personal hotspot; nobody else can use it
Safe to browse all sites and log in to sensitive websites too (like a bank account)
Disadvantages of Tethering
Some carriers block this option, and you might have to pay extra fees to use it.
Can drain the phone battery quickly if the phone is not connected to a power source.
Can use up your data plan if your connected devices are not set up to treat the connection as a metered one.
Even so, battery drain or a small one-time fee is acceptable when compared to the risk of losing your personal information or business accounts because you used public Wi-Fi.
How to Tether Your Phone
For Wi-Fi tethering, you should go to:
Settings > Wireless & Networks > Portable (Wi-Fi) Hotspot > Set Up Wi-Fi Hotspot.
Enter SSID (name) of the Hotspot.
Choose a security option – always go for WPA2 PSK (safest encryption).
Set up Password.
(Optional) Choose an AP Band – 2.4 GHz is the default, but you can go for 5GHz too if your devices support it.
Turn on HotSpot, find it with your device, and connect to it.
For USB tethering, you should:
Connect the phone to your device via USB.
Go to Settings > Wireless & Networks > More… > USB Tethering and activate it.
Go to Settings > Cellular or Settings > Personal Hotspot.
Turn on Hotspot using a slider.
You can choose to connect your devices via Wi-Fi, Bluetooth, or USB.
For Wi-Fi, you will have to set up Wi-Fi Password first (under Personal Hotspot).
Bluetooth connection only works with Macs, PCs, and third-party devices;to connect other iOS devices, you need to use Wi-Fi.
For USB, you will need the latest iTunes on the device you want to connect.
Keeping your personal and business data safe wherever you might be should always be your primary concern. Particularly in this day and age.
Even though public Wi-Fi networks are convenient, you are at high risk every single time you connect to them, even if it’s just for a few minutes. Tethering your internet is simple, convenient, and gives you your very own personal and secure hotspot.
You’ll learn: The main vulnerabilities of a home or small office – including what to look for and how to combat them. Understand cyber security threats and what they look like at home. How you can make sure you’re GDPR compliant at home! How to protect yourself in the event of a breach
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.