What you can do to combat the growing menace of cyber attacks
Most companies have a fire drill, but how many have a cyber attack drill? The need for decent cybersecurity has never been so apparent. As well as protecting your business against cybercrime, you should consider how to protect your reputation and revenues should your business be attacked.
“The risk of cyber attacks is increasing,” says David Noble, director of hospitality and leisure at insurance broker James Hallam. “Just under half – 46% – of all UK businesses identified
at least one cyber breach or attack in 2016. The most common types of incident related to staff receiving fraudulent emails – that affected 72% of those who identified a breach or attack, while 33% were hit by viruses or malware, 27% had people impersonating the organisation online and 17% faced ransomware demands.”
Attacks can take the form of spear phishing, distributed denial of service (DDoS), ransomware, crimeware, Trojans, advanced persistent threat (APT), malware and more. Scenarios can range from guests being locked out of their rooms after their card keys have been hacked to hackers stealing or changing your data and demanding a ransom for access to it.
Heavyweight hotel brands, such as Marriott, Hyatt and even Trump Hotels, are among those that have been hit in the past few years alone. Only a few months ago, malware was discovered on the servers of payment card processors at restaurants in InterContinental-managed hotels in the US and Canada.
Happily, there are many resources available to help hospitality businesses harden their systems against cybercrime. In the capital, for instance, the London Digital Security Centre has just been set up to provide one-stop-shop digital security services for small and medium-sized businesses. The not-for-profit body was founded by the mayor of London in a joint venture with the Metropolitan Police and City of London Police.
In another initiative, not-for-profit body Prevention of Fraud in Travel and its non-profit partner Global Cyber Alliance offer a layered defence model and have just unveiled two free software tools to fight cybercrime. The first is Dmarc, which blocks spam and phishing emails. The second, DNS, offers enhanced protection against malicious domains. Travel industry anti-fraud group Profit also offers subscribers to its monthly reports access to free webinars explaining how companies can harden their business systems against attack. “About 60% of all breaches seen by Profit in the travel sector are caused by phishing,” says chairman Barry Gooch.
Prevention is the first step, but if a cyber attack gets through your business’s defences, you and your staff need to be able to respond quickly and efficiently to protect your business and your reputation.
“You will be blindsided if it happens. You need to prepare by using role-play involving IT, HR, security, customer services, procurement, lawyers, the finance director, investor relations and operations director,” says Kevin Duffey, managing director at Cyber Rescue Alliance, which helps its members to reduce the business damage of a cyber attack. “Unlike a fire, a cyber threat is hard to see. Data may have been changed, not just copied.”
Typically, a ransom letter will appear after a business has been hacked, which will threaten to publish personal and financial data about your company and guests unless you pay – usually in bitcoins.
Duffey recommends staying calm: “Some hotels get these threats every day,” he says. “Check whether the data the hackers are uploading is valid, and whether it has come from your system, find the breach and stop it. If it is real, notify the police [ActionFraud is the UK’s national fraud and cybercrime reporting centre] – and think about paying.”
As well as preparing a team to deal with calls from worried guests, you need a trained PR because the media will pick up on the story. Duffey recommends drawing up a customer-centric holding statement explaining that you are investigating a possible threat. He says: “Don’t give too much detail and use phrases such as, ‘We are working with police to investigate a claim that security may have been compromised,’ and stress that you never ask customers for passwords.
“Remember, social media can sabotage your caring campaign, and you may get doorstepped by journalists asking why you didn’t invest in ‘silver bullet software’. It is best to respond with ‘No comment – we will be putting out a press release.’ This way you get more control.
“The important thing is to make sure that the regulators hear the cyber attack news from you rather than from the media. You should define the story rather than letting it define you. Be the most credible source and don’t answer leading questions.”
Are you liable for a hack?
“The short answer is yes,” says William Christopher, partner at law firm Kingsley Napley.
Under the Data Protection Act, you can face fines of up to £500,000 for a breach of data protection, and this penalty will rise next year under the EU’s new general data protection regulation (GDPR) to as much as €20m (£17.7m) or 4% of turnover, whichever is greater. You may also face compensation claims from customers for breaches of the Data Protection Act or if you are found to have been negligent.
- ActionFraud, the UK’s national fraud and cybercrime reporting centre, www.actionfraud.police.uk
- Cyber Rescue Alliance, www.CyberRescue.co.uk
- James Hallam Hospitality & Leisure, www.jameshallam.co.uk
- London Digital Security Centre, www.londondsc.co.uk
- National Cyber Security Centre, www.ncsc.gov.uk
- Prevention of Fraud in Travel, www.profit.uk.com or email@example.com
When prevention fails
- You may have to disconnect from the internet for a few days.
- Find out which members of the team have access to the administration accounts.
- Release a holding statement to the press.
- IT is not at the heart of revenue, so you need to get somebody commercial to work with your IT team.
- Find out from IT how the information was lost and take action. Have passwords been changed regularly? Have servers been updated? Have you protected your software?
- Check whether data has been stolen from a partner or supplier, such as a reservations system, as other companies may be affected too.
- Inform any customers who are affected, but be careful with wording. You shouldn’t accept responsibility until you know how it happened, so initially use phrasing such as “We regret to inform you”. Think about what you might offer. For instance, you could use a credit monitoring service to check if anyone is accessing your accounts.
- Inform your insurance company if you have cover. Insurance against all internet-related risks is available, costing between £1,500 and £25,000 for £1m of cover, dependent on the risk profile of the business.