An ounce of prevention is worth a pound of cure when it comes to minimising network security and privacy risk in hospitality
If you are in the hospitality industry and you’re not concerned about network and security privacy (NSP) risk, you probably should be. Boards now regard NSP as among their major business risks, and for good reason.
Cybercrime is on the rise. The cost to Australian businesses alone is estimated at $4.5 billion each year, and a recent report into the extent of cybercrime in the US revealed that the ‘cyber black market’ is now more profitable than the global illegal drug trade. And why not, most of it can be carried out from the comfort of your own home.
Eric Lowenstein from Aon Risk Solutions is a network and security risk specialist. He explains why hospitality businesses are particularly at risk, and addresses what can be done to mitigate, manage and potentially transfer this ever-growing risk.
If we are to start at the beginning, it’s important to define what network security and privacy (NSP) risk actually is. The most important thing to understand is that it is not confined simply to the internet. In fact, it refers to the internal, environmental and physical vulnerabilities of hospitality businesses.
And hospitality is particularly vulnerable to NSP risk for a number of reasons. Credit card information is used and stored in the purchase of hospitality services, and payment for services requires the sharing of significant amounts of personally identifiable information. Loyalty programs, common in hospitality, require the use of personal details and security questions, and online and point of sale systems can be subject to security failures. In fact, recent studies show that 75 percent of data breaches of credit card details have been linked to point of sale intrusions .
Broadly speaking, the NSP risks faced by hospitality businesses fall into four categories.
1. How easily could a hacker access your client details?
Cyber fraud, crimes and hacking attacks can occur in any business, but hospitality is unique in the amount of private customer information which is routinely stored.
Cyber criminals often focus on obtaining credit card details, but they can also use personal customer information obtained for the purposes of extortion. In a recent example, a medical practice on Queensland’s Gold Coast had its server locked and patient files encrypted, with a demand for a ransom to be paid before the files could be made accessible. The seriousness of this case was clearly exacerbated by the fact that the details accessed were medical files, but in hospitality, unauthorised access to customers’ personal details can also have very serious consequences.
2. You are what you (and your customers) write online
The rise of social media means that most businesses, including those in food service, are online publishers, whether they realise it or not. Merely by virtue of having a Facebook or Twitter account, businesses open themselves up to the risk of what might be posted online in their name.
Many businesses do not understand that they can be held accountable for what is tweeted or posted on their page or site, whether or not it was posted by them, or even by one of their employees. Defamatory or misleading content can cause serious reputational damage and incur hefty regulatory penalties.
3. How well have you trained your employees?
Hospitality businesses often have a large number of employees, many of which require access to confidential data to do their job. In this respect, they wield a great deal of power and are responsible for the security of the data.
One risk is that employees commit a crime using the information they have access to, but the reality is that the vast majority of breaches occur because of simple negligence, which can be a question of training: a computer left unlocked and a desk unattended, or sensitive data is made generally available by mistake. In a recent example, confidential customer details obtained via calls to a call centre were made available for training purposes, but on a non-secure site.
The physical environment can also pose significant risks, and the fact that the nature of hospitality businesses is that the public can move around unencumbered in most venues adds to the risk of a breach. In a recent example, a criminal was able to tailgate an employee of a government department into a secure building, and walk out with a secure locked bin. The same thing can happen in hospitality when the proper safeguards are not in place.
4. Do you know where and how your data is stored?
Moving from a server-based to a cloud-based system has advantages, but understanding where your confidential data is hosted is of vital importance. Because data is stored and accessed remotely, employees can bring their own devices to work, or work remotely from home, which increases the risk of a data breach.
And when suppliers are added to the mix, the risk increases again. The recent breach at Target in the US is just such a case. Literally millions of customers’ credit card details were exposed when a hacker was able to access Target’s system with login details stolen from a supplier. Because Target had failed to segregate the systems handling sensitive data from the rest of its network, once the hacker had breached the system, he was able to access all areas.
So what are the potential consequences of a NSP breach?
The consequences of a NSP breach can be ruinous for a business. They include:
- A negative impact on brand and image
- Loss of revenue
- Legal liability (including for misleading conduct)
- The cost of forensic consultants to work out what happened and to fix the system
- Internal costs to change systems to prevent further breaches
- Breach notification (which can amount to up to $140 per customer affected)
- Regulatory scrutiny and potential fines
Is it possible to mitigate or even transfer NSP risk?
No business can expect to eliminate NSP risk altogether. However, the first step in managing and mitigating NSP risk is to thoroughly understand the risks your business faces, and then to develop and implement strategies to minimise them. And this includes educating employees about data protection and security.
The Australian Hotels Association runs cyber awareness training and Aon Risk Solutions has prepared a 25 point questionnaire as a starting point for businesses seeking to better understand the risks they face.
There are also insurance policies available aimed specifically at cyber risk. These cover the losses which may be incurred due to a cyber breach or attack, and those which are not covered under general business insurance. Most policies will cover the majority of losses incurred including loss of revenue, loss incurred due to business interruption, the cost of restoring data, notification costs and forensic consultants.
The bottom line? Prevention is better than cure
Prevention is generally better than cure, and cyber risk is no exception. Taking steps to understand the network security and privacy risks your business faces and developing strategies to minimise them is a great first step. And transferring elements of the risk to a specialised insurer can give real peace of mind.