Cyber threats have increasingly become part of nationwide security discussions, impacting virtually all individuals and institutions from personal bank accounts, to big business to the federal government. Private clubs in particular are vulnerable to such attacks as they often house sensitive data regarding some of the most wealthy and prominent individuals in the world. Here are some of the latest trends in cyber security.
Phishing
2016 saw the most phishing attacks in history, reports the Anti-Phishing Working Group (APWG). According to the APWG’s new Phishing Activity Trends Report, the total number of phishing attacks in 2016 totaled 1,220,523—a 65 percent increase over 2015.
Phishing is a popular hacking method because “it primarily relies on fooling people,” said APWG Senior Research Fellow Greg Aaron. This makes it imperative for employers/employees to learn how to identify these threats before they harm their places of work. (See sidebar, “Glossary of Cyber Attacks, Page XX.)
Ransomware
Ransomware attacks, in which hackers use malicious software to encrypt a user’s data and then extort money to unencrypt it, increased 50 percent in 2016, according to a report from Verizon Communications Inc. and McAfee Inc. The average price to retrieve captured data was $1,077, reports Symantec. This number represents a 266 percent increase over 2015. A recent IBM Security study discovered that 70 percent of businesses attacked by ransomware paid the ransom. Half of those paid more than $40,000 to get their data back.
What You Don’t Know Might Hurt Your Employer
While clubs and other organizations might have systems in place to reduce the risk of cyber attacks, each employee’s actions are critical to achieving a safe cyber environment. According to a recent Pew Research Center quiz that evaluated knowledge of cyber security among Americans, a majority of respondents answered fewer than half of the questions correctly. You can take the quiz at pewinternet.org/quiz/cybersecurity-knowledge/ to see if you can score better than these results:
· 10 percent could identify an example of a multi-factor authentication screen
· 13 percent know the purpose a Virtual Private Network (VPN) serves
· 33 percent could identify an encrypted URL
· 39 percent knew “private browsing” mode does not prevent internet service providers from monitoring subscribers’ online activity
· 48 percent could correctly define the term “ransomware”
Organization “insiders” (i.e., employees) are the cause of 30 percent of cyber attacks, reports Haystax Technology, a leading security analytics platform provider
· 60 percent of organizations believe privileged IT users/admins pose the biggest cyber threat to the company
· 57 percent believe it is contractors and consultants
· 51 percent believe it is regular employees
Generation Gap?
Generations view cyber security differently. A 2016 study by Forcepoint, a computer security software company, showed that nearly two-in-three millennials use their cell phones for both work and personal use. While 70 percent of this group says they understand and use strong passwords, 42 percent use the same password across multiple systems and apps.
Millennials are also vulnerable due to their use of public Wi-Fi networks. Ten percent use public Wi-Fi to access work systems and accounts, 23 percent download content to their work devices from public networks and 10 percent do not change their online habits when using a private versus public wireless networks. Perhaps most alarming, 54 percent of millennials said they would rather boost their internet speed than improve their personal online security. Just 33 percent of millennials have secure passwords compared to 53 percent of baby boomers.
When it comes to cyber security knowledge, younger generations tend to know more than older groups, however, it varies depending on the subject, reports a Pew Research Center quiz. While respondents ages 18 to 29 correctly answered questions regarding private browsing and GPS tracking—at more than 23 percentage points higher than respondents 65 and older—the younger generation was worse at identifying a phishing attack by two percentage points.
Overall, these ages 18 to 29 answered six of 13 questions correctly while those 65 and older answered five correctly.
Cyber Insurance
According to a 2016 survey by the Risk Management Society, a nonprofit made up of risk management professionals, 80 percent of responding organizations had purchased standalone cyber insurance. The number grew 29 percent from the previous year.
The respondents’ biggest areas of concerns were reputational harm (82%), business interruption and expenses from a network outage (76%), costs related to notification (76%), cyber extortion (63%) and trade secret and IP theft (42%).
Eighty-one percent of surveyed organizations said they have a cyber attack response plan in place and 85 percent of that group said their legal department was involved in that plan.
Physical Security
Clubs and other segments of the hospitality industry, and schools now have more tools to maintain safety on their campuses.
Beacon Technology
Innovations like beacon technology can communicate with users’ devices to send important information. Beacon technology can tell users, such as school children, where buildings and classrooms are by using a multi-level mapping system. It can also identify who is on the campus and where they are located. Combining these features, users can be told where to go in case of an emergency.
Biometric Technology
Spanning the areas of both physical and cyber security, biometric technology’s presence is growing. A survey by Market Wired forecasts that the global biometric technologies market will reach $41.5 billion by 2020 from a total of $14.9 billion in 2015.
On platforms like mobile payment and online banking, biometrics can be utilized via smartphone to read a user’s fingerprints. The same type of verification is now being applied to point of sales machines as well. MasterCard has gone as far as to develop a concept called “selfie pay,” which allows users to verify their identity through a picture of themselves.
The Physical Plant
Securing the physical plant takes comprehensive planning. It involves having a disaster planning team, sufficient staff training, emergency contacts, a site map, routine inspections, IT preparation and equipment to ensure the facility can operate while in an emergency.
Vital equipment during a disaster or emergency include:
Generators/Surge protectors/Battery backups: These can keep a club powered during an emergency or crisis
Server protection: These store and share vital information for your club’s needs and should be kept running and out of harm’s way during an emergency.
Data Backup Systems: These systems protect a club’s critical information.
Key communications systems: A reliable internet connection, two-way radios and other phone systems can facilitate vital communications during a club’s most vulnerable moments.
Reliance on Technology
As clubs and other businesses increase their reliance on user-friendly and easy access technology, it is becoming more important to protect organizational data and those it serves from cyber criminals. The expansion of technology has provided numerous benefits to the private club industry; however, these advancements also pose serious threats to clubs’ reputations, services and members. By implementing up-to-date cyber security measures and monitoring the latest threats and best practices, clubs can reduce the threat of a cyber attack and mitigate any damages from a data breach.
Sidebars:
What Hospitality Employers Should Do Now
Employers in the hospitality industry should consider the following steps to reduce their cyber threat risk:
- Adopt appropriate policies to prevent data breaches, and take special care to protect devices with access to point-of-sale information.
- Be aware that drafting policies is effective only if employees are adequately trained to follow those policies.
- Never assume that employees already know or follow data security best practices.
- If you have a high employee turnover, consider conducting frequent trainings to ensure that recent hires are aware of applicable security policies.
- In addition to taking steps to prevent security breaches, develop a security breach rapid response plan and team that includes a procedure for alerting impacted customers, employees and financial institutions.
Source: Epstein Becker & Green Law Blog
Glossary of Cyber Attacks
Here is brief description of some of the most common cyber attacks.
Malware: Harmful software, including viruses and ransomware, that performs a variety of actions that can sabotage a system. They include taking over a machine, monitoring actions and sending confidential data from a computer to a hacker.
Phishing: A strategy used by hackers to trick users into clicking malicious software. The software can be disguised as legitimate emails, attachments or files sent to the user.
SQL Injection Attack: SQL or “sequel” (structured query language) is a programming language used to manage data stored in databases. An SQL injection attack targets these servers to force them to divulge information such as credit number numbers, username, passwords and other personal information.
Cross-Site Scripting (XSS): Similar to an SQL injection attack, malicious code is sent to a website, but instead of attacking the website, the software attacks users when they visit the targeted webpage.
Denial of Service (DoS): Overloading a website to prevent visitors, to crash it and prevent users from accessing it.
Session Hijacking and Man-in-the-Middle Attacks: This type of attack occurs when an attack hijacks the unique session information transmitted between a user and a web server in order to gain access to unauthorized data on the web server. The attacker can also use the data to pose as the user.
Credential Reuse: Users often reuse the same login information for multiple sites. Once attackers have a user’s login credentials, they may attempt to, and successfully access other websites by using the person’s login.
Source: Rapid7, a global technology security and IT consultant.
Top 10 Threats to Club Security
• Potential threats go unrecognized and unmitigated.
• Security gaps go unidentified and unmitigated.
• Attacker perspective not applied.
• Lack of imagination in considering the range of possible threat.
• Lack of a holistic risk management plan.
• Lack of an incident response plan.
• Lack of a proper command and control mechanism.
• Lack of local medical, fire and police integration to security plans.
• Member safety undermined by a ‘convenience over security’ approach.
• Over reliance on technical security countermeasures.
Source: TorchStone
Club Trends Summer 2017