virna17janmar
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
JANUARY – MARCH 2017<br />
VACATION INDUSTRY REVIEW<br />
RESORTDEVELOPER.COM<br />
bluebay2014/Deposit Photos<br />
Over the past few years, it seems that the hits<br />
just keep coming. Hits to cybersecurity, that is.<br />
In 2014, the U.S. Office of Personnel Management’s systems were<br />
breached, revealing the personnel files of at least 4.2 million former<br />
and current federal employees. In 2015, Anthem, the largest for-profit<br />
managed-health company in the Blue Cross Blue Shield Association,<br />
disclosed that a database with approximately 80 million patient and<br />
employee records was exposed. This past fall, Kimpton Hotels confirmed<br />
a breach of payment-card information at more than 60 hotels<br />
and restaurants that went undetected for more than six months. And<br />
WikiLeaks released thousands of hacked emails from DNC accounts,<br />
U.S. intelligence officials alleging that Russia was behind the breakins<br />
in an attempt to interfere with the presidential election.<br />
In addition to data breaches, there’s also the threat of ransomware,<br />
in which a type of malware installed on a computer or server<br />
encrypts the files, making them inaccessible until a specified ransom<br />
is paid. It’s on the rise, with the total volume of ransomware samples<br />
known to Intel Security’s McAfee Labs topping 7 million in 2016, a<br />
128-percent year-over-year increase from 2015.<br />
“The reports are very concerning,” says Georgios Mortakis, vice<br />
president and chief information security officer for ILG. “In this environment,<br />
everyone in an organization needs to take responsibility for<br />
data security; it can’t be just left to the IT department.”<br />
Dangerous Game<br />
The consequences of the above-mentioned events are many:<br />
Consumers and employees are understandably upset when their<br />
private information is leaked. A company’s public image will suffer<br />
if shoddy security practices are revealed. In the case of ransomware,<br />
paying a ransom or replacing lost data could cost hundreds of<br />
thousands of dollars — or more. In addition, the Consumer Financial<br />
Protection Bureau (CFPB) recently announced it will begin enforcement<br />
in the area of data security, beginning by fining Dwolla, an<br />
online payment platform, US$100,000 for misrepresenting its systems<br />
as secure.<br />
“The Federal Trade Commission was already active in this area,<br />
and now the CFPB is joining in,” says Peter Moody, vice president<br />
of business development at Equiant, a leading loan-servicing provider.<br />
“If there’s a breach, companies need to demonstrate they’re<br />
responsible actors and have a comprehensive and effective compliance-management<br />
system. If the agencies find deficiencies, the<br />
penalties will be more severe.”<br />
That means information-security professionals have a difficult<br />
task: They have to keep up with cyber criminals and the tools to fight<br />
them, check off a growing list of compliance requirements, and monitor<br />
the security practices of their business partners and employees.<br />
“We have to go above and beyond to minimize risks,” Mortakis<br />
says. “We can’t eliminate all threats, but we can reduce their impact<br />
by mitigating identified vulnerabilities. As an analogy, if you live in<br />
South Florida, you could be affected by a hurricane, so you should<br />
be prepared. You can’t stop a hurricane from happening, but you can<br />
buy storm shutters. If there’s an incident, we need systems in place<br />
to identify the threat immediately, and reduce or eliminate its impact.”<br />
The Weakest Link?<br />
Because so many incidents begin with employee errors, a thorough<br />
training program, along with access controls, is essential. “All<br />
employees need to have training in security awareness,” Mortakis<br />
says. “In addition, you have to enforce the policies and procedures<br />
they’re being taught.”<br />
A common door into an IT network is phishing, malicious correspondence<br />
trying to get the recipient to take the bait in the form<br />
of an attachment or embedded link. In Verizon’s 2016 Data Breach<br />
Investigations Report, 30 percent of targeted people opened a phishing<br />
email, 13 percent clicked on a phishing attachment, but just 3<br />
percent of targeted individuals alerted management of a possible<br />
phishing email. Although you can train employees not to open suspicious<br />
emails, the “bad actors” out there are devising better and better<br />
strategies to entice them to do so. For example, a recent rash of phishing<br />
emails looked like an official email from FedEx, with an attachment<br />
about a missed package delivery.<br />
However, there are steps companies can take: First, emailfiltering<br />
software can prevent such emails from being delivered<br />
9