Be ‘compromise ready’ with an incident response plan

NEW YORK—Just like every other industry, hospitality has been the target of data-security attacks. That being said, many entities face the same types of security incidents, so hoteliers still not on board with the basics of preventing incidents may want to take note of how they can become cyber resilient by being “compromise ready.”

“For several years before we published our first report, we read reports published by forensic firms that shared insights from the investigations they had conducted in the prior year,” said Craig Hoffman, partner at BakerHostetler and leading member of the firm’s Chambers USA-ranked privacy and data protection team. “As the amount of incidents we helped clients with was climbing, we decided we had enough data to generate similar insights from the legal side. At that time, there were still a lot of companies that had not gone through a significant incident.”

The national law firm leveraged its data and began producing its own reports. “We thought our report could help [companies] see in a very practical way what actually occurred before, during and after, so they could use that information to avoid incidents and be better prepared to respond when they occurred,” he said. Earlier this year, the firm released its most recent paper, the “2018 Data Security Incident Response Report,” which contains statistics and insights based on more than 560 data-security incidents managed by BakerHostetler in 2017, and it calls for companies to be “compromise ready,” a concept the firm has encouraged companies to follow from the very beginning.

“Compromise response intelligence is when companies take advantage of the experiences of law firms and forensic firms that have guided clients through hundreds of incidents to develop and execute a tailored and effective incident response plan; this starts with hotels identifying incident-response partners before an incident, including vetting them by experience, capabilities and industry knowledge,” Hoffman said.

Several compromise intelligence recommendations from years prior are still outlined in this year’s report: increase awareness of cybersecurity issues; identify and implement basic security measures; create a forensics plan; build business continuity into your incident response plan; manage your vendors; combat ransomware; and purchase the right cyber insurance policy. From the 2018 report, new recommendations include the following: implement a strong, top-down risk management program; adopt updated password guidance, and implement MFA or other risk-based authentication controls; keep data secure in the cloud; prepare for more regulatory inquiries; and, if you’re a publicly traded entity, update your item 1A risk factors regarding privacy and security.

This year, BakerHostetler added a new category—system misconfiguration, which the firm defined in the paper as “instances where unauthorized individuals gain access to data stored in the cloud because permissions were set to public instead of private.” System misconfiguration incidents accounted for 6% of all reported incidents.

“On cloud misconfigurations, these are primarily vendors that companies hire to perform some service and the vendor uses resources in the cloud; companies should be asking questions of their vendors about their cloud-based resources,” he said.

In the report, the leading cause of incidents at 34% was phishing, followed by network intrusions at 19%; inadvertent disclosure at 17%; and stolen or lost devices/records at 11%. The firm categorized the remaining 13% of reported incidents under other.

Ransomware was involved in 18% of overall phishing incidents and 38% of network intrusion incidents last year. The average ransomware payment in 2017 was $40,000, according to the 2018 report.

“We expect ransomware issues to continue to be problematic—both commodity ransomware that infects companies by chance to more targeted, widespread deployment of ransomware as part of a network intrusion,” Hoffman said.

As for remote access, it accounted for 32% of phishing incidents. “Remote access will also continue to be an issue—attackers are breaking into companies by phishing employees and getting usernames and passwords that they use to log in to online and cloud-based accounts,” he said. Remote access contributed to only 16% of network-intrusion incidents.

Hacker groups are known for targeting hospitality companies for their payment card data. “A lot of hotels are operated by a franchisee that might own one or two properties, so that franchisee operator has to figure out how to secure the payment card environment,” he said. “Securing a payment card environment is something even large companies struggle with.” The good news is it’s becoming even easier for properties to implement technology designed to remove payment card data from their environments.

“For companies that have payment card data stolen, they could face lawsuits from individuals and banks that issue payment cards as well as assessment by payment card networks,” Hoffman said.

Of course, it’s not realistic to expect properties—or any company for that matter—to prevent all incidents. “Even if you deploy great security technology, you still face the people problem,” he said. “Well-meaning employees can be tricked by phishing emails and social engineering or make simple, human mistakes. To prevent phishing attacks from occurring, many companies are requiring their employees to complete phishing training.

“Even at companies that regularly train on phishing and social engineering, you will still find some employees who are tricked and respond to a phishing email, so companies have to use a multipronged approach,” Hoffman continued. “In addition to training, there are endpoint security tools beyond traditional anti-virus that companies are using to counteract incidents that start with a phishing email.”

There’s a caveat to consider, though: “[Companies] should expect that the security tools will not stop everything, so they need a way to monitor for signs of unauthorized access, so they can respond quickly and appropriately,” he said. “Someone has to look at the alert generated by a security appliance and take the right action.”

Incident-response preparedness requires the support of the entire enterprise. “We are seeing companies use formal or informal cybersecurity risk groups with members from the business—risk insurance, HR, security and legal groups—to work on negotiating appropriate contractual protections with vendors, buying cyber liability insurance, and handling incidents when detected,” Hoffman said.

Well-prepared properties are less likely to face scrutiny from individuals, stakeholders and regulators.

“…Companies should focus on the key phases of the incident-response lifecycle—detection; investigation to support containment, and then eradication; investigation to support notification analysis; notification analysis and communication, if warranted; and then taking the findings and lesson learned to improve the security posture of the company and the response capabilities,” he said. HB