It is probably no surprise cyberattacks often happen when you least expect them or when you are most vulnerable. In what seems like something from a movie, hackers attempted to acquire data from a North American casino by using an internet-connected fish tank, according to a report released by cybersecurity firm Darktrace. The fish tank had sensors connected to a PC that regulated the temperature, food, and cleanliness of the tank.
Any organization that holds pertinent digital information should have a highly secure system that will protect information from cyber threats. Breaches are not 100 percent preventable, however there are steps you can take to minimize that risk of liability. The systems that you deploy must be ready for anyone that attempts to steal your data.
A hotel that does not make guest–facing security a priority leaves themselves exposed to breaches that will be very costly in both the short and long run. The best approach is to identify what it is that you are wanting to protect, then to build several virtual walls around it as quickly as possible.
Some may think their property is ready for an attack until it happens; so, how could you test that theory to see if it’s true? A viable and simple way to find this out would be with a penetration test.
A penetration test, also called pen testing or ethical hacking, is the practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit. A pen test is also an important step in establishing PCI-DSS compliance.
There are generally five stages to a properly conducted pen test.
- Planning the scope of the test
- Scanning, assessing, and reconnaissance
- Establishing access
- Persisting access and attempted exfiltration
Once you have the analysis, it is important to prioritize the findings and quickly mitigate any vulnerabilities. A pen test should be conducted at least every year, and with the speed that hackers move, probably part of a regular risk assessment.
The reality is that your property is going to need to provide more access to guests and have more IOT connected devices, so trying to reduce the technology will not be a competitive option. I meet with a lot of clients who feel they can self-manage their property devices. Deciding to do it yourself when it comes to your security will only last so long.
Doing it yourself could mean you are taking several privileges away from your guests and limiting what they can do at your hotel. You want them to be able to enjoy your hotel as if they were at their own home or workplace.
System breaches occur, not because you take access and amenities away from guests, but they occur when attackers take advantage of the fine details that were missed. Data encryption, network segmentation, elimination of PII, and continuous monitoring of what is entering and leaving your networks are key examples of this.
Cyber attackers are continually evolving and finding new ways to get what they want. For any cybersecurity system to last, it must continually mature, or it will become weak, unable to protect your guests from evolving cyber threats. Having your data security monitored by a single person is a daunting task even if they are knowledgeable about what they are doing.
In summary, systems built for cyber defense, an evolving cyber plan, and annual pen testing will determine if your systems are strong enough to combat a cyber threat.
Schiffer, A. (2019, April 17). How a fish tank helped hack a casino. Retrieved from https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/.