Data SecurityBY JUDY KENNINGER NOT JUST FOR
JANUARY – MARCH 2017 VACATION INDUSTRY REVIEW RESORTDEVELOPER.COM bluebay2014/Deposit Photos Over the past few years, it seems that the hits just keep coming. Hits to cybersecurity, that is. In 2014, the U.S. Office of Personnel Management’s systems were breached, revealing the personnel files of at least 4.2 million former and current federal employees. In 2015, Anthem, the largest for-profit managed-health company in the Blue Cross Blue Shield Association, disclosed that a database with approximately 80 million patient and employee records was exposed. This past fall, Kimpton Hotels confirmed a breach of payment-card information at more than 60 hotels and restaurants that went undetected for more than six months. And WikiLeaks released thousands of hacked emails from DNC accounts, U.S. intelligence officials alleging that Russia was behind the breakins in an attempt to interfere with the presidential election. In addition to data breaches, there’s also the threat of ransomware, in which a type of malware installed on a computer or server encrypts the files, making them inaccessible until a specified ransom is paid. It’s on the rise, with the total volume of ransomware samples known to Intel Security’s McAfee Labs topping 7 million in 2016, a 128-percent year-over-year increase from 2015. “The reports are very concerning,” says Georgios Mortakis, vice president and chief information security officer for ILG. “In this environment, everyone in an organization needs to take responsibility for data security; it can’t be just left to the IT department.” Dangerous Game The consequences of the above-mentioned events are many: Consumers and employees are understandably upset when their private information is leaked. A company’s public image will suffer if shoddy security practices are revealed. In the case of ransomware, paying a ransom or replacing lost data could cost hundreds of thousands of dollars — or more. In addition, the Consumer Financial Protection Bureau (CFPB) recently announced it will begin enforcement in the area of data security, beginning by fining Dwolla, an online payment platform, US$100,000 for misrepresenting its systems as secure. “The Federal Trade Commission was already active in this area, and now the CFPB is joining in,” says Peter Moody, vice president of business development at Equiant, a leading loan-servicing provider. “If there’s a breach, companies need to demonstrate they’re responsible actors and have a comprehensive and effective compliance-management system. If the agencies find deficiencies, the penalties will be more severe.” That means information-security professionals have a difficult task: They have to keep up with cyber criminals and the tools to fight them, check off a growing list of compliance requirements, and monitor the security practices of their business partners and employees. “We have to go above and beyond to minimize risks,” Mortakis says. “We can’t eliminate all threats, but we can reduce their impact by mitigating identified vulnerabilities. As an analogy, if you live in South Florida, you could be affected by a hurricane, so you should be prepared. You can’t stop a hurricane from happening, but you can buy storm shutters. If there’s an incident, we need systems in place to identify the threat immediately, and reduce or eliminate its impact.” The Weakest Link? Because so many incidents begin with employee errors, a thorough training program, along with access controls, is essential. “All employees need to have training in security awareness,” Mortakis says. “In addition, you have to enforce the policies and procedures they’re being taught.” A common door into an IT network is phishing, malicious correspondence trying to get the recipient to take the bait in the form of an attachment or embedded link. In Verizon’s 2016 Data Breach Investigations Report, 30 percent of targeted people opened a phishing email, 13 percent clicked on a phishing attachment, but just 3 percent of targeted individuals alerted management of a possible phishing email. Although you can train employees not to open suspicious emails, the “bad actors” out there are devising better and better strategies to entice them to do so. For example, a recent rash of phishing emails looked like an official email from FedEx, with an attachment about a missed package delivery. However, there are steps companies can take: First, emailfiltering software can prevent such emails from being delivered 9