Cybersecurity for the Tourism & Hospitality Sectors Webinar FAQs

These FAQs are derived from the webinar content in which Candice Sutherland (Cyber Insurance Underwriter @iToo Special Risks), Christo Snyman (National Director of Forensic Services @Mazars Forensic Services) and Terence Govender (National Director of IT Advisory @Mazars SA) were panellists.

 

Cyber threats

 

Q: What is cybercrime?

Cybercrime, or computer-oriented crime, is a crime that involves a computer (or phone or tablet) and a network. The computer may have been used in the commission of a crime, or it may be a target. Cybercrimes can be defined as: “Offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause mental harm, or loss, to the victim directly or indirectly.” (Adapted from the US Department of Defence)

Various forms of cybercrime are much more prevalent than most people likely realise.

 

Some stats:

75 records stolen every second by hackers

24% of data breaches are as a result of human error (and therefore preventable), i.e. phishing or business process errors

30 000 websites are hacked daily

R3 500 average cost of a stolen record on the black market

 

South Africa is the third-worst country in the world in terms of cybercrime attacks. 84% of South African adults have been a victim of cybercrime.

 

The average time that it takes a company to identify a breach is 150 days, followed by an average of 40 days to contain a breach. This means 40 days during which a company would essentially be down without access to their data (e.g. booking system, client list, etc.). For many companies, this would prove to be financially crippling.

It has been shown that the top 3 cost-reducing factors for companies who experience such an event are:

• Having an incident response team in place.
• Extensive use of data encryption.
• Participation in risk sharing, e.g. cyber insurance cover.

 

Q: What are common cybercrimes?

 

Phishing

Phishing is the use of fake email messages to get personal information from internet users.

 

A common scam involves cybercriminals impersonating an individual or organisation who would gain your confidence—a company CEO, customer service agent, member of a government branch (e.g. SARS), NGO, etc. An email originating from this ‘trusted source’ will prompt you to click on a link or complete a form in order to receive funds, change banking details, etc. This prompt will trigger malware to download onto your machine, either locking your hard drive, at which point you may be requested to pay a ransom to unlock it, or exploiting additional information from you (e.g. passwords, banking details, etc.). Vishing is a form of phishing that occurs over the phone or SMS.

 

It’s very important that if you receive any request for a change in banking details, that you do not accept the correspondence you receive as valid. Contact your client, supplier, or contractor directly and make sure about the change request. Also, contact your bank and request that they provide you with correct banking details.

 

Malware

Malicious software, or malware, is a general term for computer programmes that are specifically designed to infiltrate and harm computers without the user’s consent. It can include computer viruses, worms, Trojan horses, ransomware, spyware, adware, etc.

 

Ransomware

Ransomware is a type of malware that locks, encrypts, or threatens to publish the contents of a user’s hard drive (e.g. files or data), unless a ransom is paid. Generally, the ransom is requested in cryptocurrency because it is untraceable.

 

Cybercriminals

These are highly sophisticated individuals or teams who exploit technology to steal sensitive company or personal information for the purposes of profit. They build detailed profiles on users, know how you act online, who you contact and, for all intents and purposes, are extremely convincing (sometimes displaying legitimate email addresses, bank accounts, letterheads, etc.)

 

Q: How do I know if my personal data has been breached?

The introduction of the POPI act will make it law that a business must inform their stakeholders (i.e. shareholders, customers, suppliers, contractors, etc.) of any breach in personal information. Previously this has not been the case, and company data breaches could result in not only personal information being sold, e.g. for marketing purposes, but also used to carry out identity theft and other cybercrimes—unbeknownst to the individuals whose data was hacked.

 

Furthermore, under POPI, if a company does not notify the regulator that they have been hacked, they can face a R10 million fine or 10 years in prison.

If you would like to check whether your email address has been compromised in a data breach, enter your email into the website https://haveibeenpwned.com/. It will come up with a record of if, where, when, and how your email address was compromised.

 

Q: What is the POPI Act?

The Protection of Personal Information (POPI) Act gives effect to a constitutional right to privacy. It establishes minimum requirements with which business must comply when processing personal information.

 

Recently, further sections of the POPI Act were promulgated on 1 July 2020, outlining the need for businesses to lawfully process and protect personal identifiable information (PII). The regulator has given businesses until 30 June 2021 to comply.

 

Under POPI, an employer may be held liable for the conduct of its employees, regardless of whether there is any wilful or negligent conduct on the part of the employer. Not only can the employer be held liable, the employee or custodian of data (or a device that holds data) can also be held liable and face a fine.

 

In the coming months, SATIB will unpack what POPI means for tourism and hospitality businesses in more detail.

 

Q: What is the connection between Covid-19 and cybercrime?

Covid-19 and the lockdown have resulted in an unprecedented increase in the number of individuals working from home. The speed and magnitude at which this change occurred means that very few organisations have prepared for this type of scenario in their Business Continuity Planning (BCP).

 

All types of employers and employees are vulnerable. Why?

• People are more relaxed at home than in an office and may, therefore, let down their guard. There is a mindset that cybercrime only happens at the office.
• Remote working users do not always have antivirus software and/or a virtual private network (VPN).
• Home computers are rarely protected with antivirus or personal firewall software.
• Users are spending a lot more time online, interacting with more touchpoints, and leaving a larger digital footprint.

 

These factors have created the perfect ‘playground’ for cybercriminals.

 

Q: What industries are targeted the most by cybercriminals?

Any business with a computer, employee, or client is a possible target. Cybercriminals have no discrimination—they start from the weakest link and look for any opportunity to exploit.

 

However, there are some categories that cybercriminals will tend to target, including home working users (for the reasons stated above), SMMEs, and the health industry due to the high value of health data.

 

SMMEs are more vulnerable because they often do not have the budget to spend on security software, monitoring tools, and resources. And due to Covid-19, many smaller businesses are trying to increase their resilience by offering online services/purchases, unfortunately with little consideration for IT security.

 

Q: How and to whom do you report cybercrime?

You can report cybercrime to the South African Police Service (SAPS) or at http://cybercrime.org.za/reporting.

 

A specialist will need to take a forensic image of the contaminated hard drive or device, and the service provider will need to be subpoenaed to try to determine where the problem originated, which can prove difficult as cybercriminals often work from remote locations and know how to evade detection. SAPS can then complete an investigation.

 

Q: Is cybercrime an issue in the tourism and hospitality sectors?

Yes. The digital presence of tourism and hospitality businesses has been growing steadily with the offering of more products, services, and transactions online. As a result of handling and storing large volumes of guest and customer data, cyber exposure has increased.

 

There have been several high-profile cases of such businesses being hacked:

• Orbitz: an old version of the Orbitz website was hacked, exposing personal details and payment card info. Orbitz is now owned by Expedia.
• WWPKG: specialised in tours in Japan. Senior management was hacked at the head office, compromising their customer database, which contained clients’ personal information and purchase history.
• com: scammers managed to get customers’ details and sent emails pretending to be the hotel asking to settle their account online prior to arrival.
• com: had stolen over USD300 000 worth of airline tickets for the low-cost carrier Citilink. The hackers then sold the tickets on Facebook.
• Worldwide Package Travel Service: was forced to close its stores in Hong Kong after the travel agency’s computer systems were locked down and held to ransom by hackers.

 

Prevention & Protection

 

Q: What can I do to safeguard myself and my organisation (as best possible)?

Taking the necessary steps to mitigate cyber threats and prevent an attack is obviously the first priority before having to contain and recover from an incident once it unfolds.

Do:

• Ensure laptops have antivirus software and that USB ports are set to scan.
• Ensure that relevant virtual private network (VPN) software installed and/or 2-factor authentication (2FA) is implemented.
• Ensure hard disk encryption is installed.
• Ensure you are able to log into the network with a password. If there is no password, something may be amiss.
• Ensure personal PCs and laptops have antivirus software and that you have a personal firewall.
• Report any strange emails or activities with your PC or laptop.
• Be very careful with clicking on unknown links and never engage email from unknown or suspicious sources.

 

Do not:

• Visit websites that are unsecured or suspicious, especially where you are transacting and/or providing PII.
• Transact with retail, banking or financial sites that do not have the HTTPS (S is for Secure)
• Provide financial or personal information to anyone requesting it over the telephone or internet unless you are expecting and can verify it. (A recent scam has involved malicious individuals purporting to be Covid-19 contact tracers requesting personal information.)
• Respond to any Covid-19 emails requesting information. (Google blocked 250 million scam emails related to Covid-19 between March and May.)

 

Q: What should I look for in antivirus software?

Antivirus software has become much more sophisticated in the last few years. It is designed to prevent, search for, detect and remove software viruses and all forms of malware, including ransomware.

 

It is advisable to pay a bit extra to get a top of the range package, rather than rely on a free service. Look for a package that includes a firewall, VPN and can encrypt and protect your passwords (e.g. a password manager or vault). Your antivirus software should come with signature antivirus update files and automatically update (e.g. the software will write a signature update in response to exposure or the identification of a virus or malware).

 

In free antivirus software, these updates may not occur as frequently or automatically. However, a free service will give you some level of protection and is better than having nothing at all.

 

Don’t think that if you are an Apple user, that you don’t need antivirus software or that it isn’t available. The way IOS is written does make it slightly more secure, but it can still be breached. There are several antivirus software options available for Apple, and any paid service will give you the necessary level of protection.

 

Securing your mobile phone (or tablet) is often overlooked but is also very important. Malware can be written into apps that you download. There are a number of antivirus software brands that now offer mobile services that block malware and monitor activity (alerting users if something looks malicious in a download). Securing your mobile phone 100% is more difficult than your computer, but a mobile antivirus service will give you a higher level of security.

 

Q: What is a VPN, and why is it important?

A virtual private network (VPN) establishes a secure and encrypted connection by creating a private network from a public internet connection. A VPN encrypts all information transacted or sent over the internet and is highly recommended for all users, especially those working from home. A VPN is also an absolute requirement if you want to take out a cyber insurance policy.

 

Q: Is it safer to work on the cloud?

Cloud environments have become far more sophisticated over the last few years. The two largest cloud services, Amazon Web Services (AWS) and Microsoft Azure, have invested heavily in security. Cloud environments have software monitoring tools and run sweeps every hour. These tools are backed by artificial intelligence that can analyse information flows and report anything suspicious.

 

With more and more people moving to a cloud environment, it is a target for cybercriminals. However, storing your data in the cloud is still more secure than doing so on your machine at home or in the office.

 

Note, however, that if you operate on the cloud, you are still the custodian of that data, and therefore liable.

 

Q: How can I mitigate risk on social media platforms?

The more personal information you share online, the more exposed you are. You have no recourse once your information is in the public domain. Cybercriminals can build in-depth profiles based on this information in order to exploit you or impersonate you for phishing attacks.

 

Be very careful with the amount of personal information you share online and on social media and do not post information like your real-time location. (Note that cyberstalking is another form of cybercrime.) Some antivirus software can now scan your social media feeds for scams and malicious links.

 

Q: How should I manage my passwords?

You can actually manage your passwords yourself quite effectively simply using an Excel spreadsheet. However, a paid antivirus software will also have a password manager (vault) and can generate secure passwords for you. It is not advisable to store your passwords on, for instance, Google Chrome’s password manager.

 

In addition to the password tips under ‘minimum security requirements’ for cyber insurance below, it is a good idea to use a phrase (a combination of words) rather than just one word in conjunction with numbers and symbols. The longer your password, the more difficult it is to hack.

 

Cyber insurance

 

Q: What is a cyber insurance policy?

A cybers insurance policy can be purchased by a company to provide cover against a network security breach or a privacy breach. The triggers are defined as:

• Network security breach: means a downstream attack, or unauthorised access to, unauthorised use of, theft of data from, denial of service attack, or transmission of malicious code to the insured’s computer system, including physical theft of the insured’s computer system, or any part thereof.
• Privacy breach: means a breach of confidentiality, infringement, or violation of any right to privacy, which results in harm to employees or third parties.

 

The standard cyber insurance policy contains the following, regardless of your business type:

Insuring clause A in a cyber insurance policy is for cyber liability. That will defend you, the insured, if there is a privacy or network security breach, including the defence and settlement of third-party liability claims arising from the compromised data or as a result of system security failures causing harm to third-party systems and data.

 

Insuring clause B is for crisis management and notification expenses, including notifications, PR campaigns (e.g. spokesperson training), remediation services, and credit and identity theft monitoring for every individual in the company.

 

Insuring clause C is for data recovery and business interruption. It covers expenses for proper forensic specialists to investigate, contain, and manage the breach and recover business operations. A cyber policy has a non-physical damage business interruption trigger and covers losses for the amount of time that your network and/or business was down and unable to trade (interrupted) as a result of the breach. It also covers loss of business income (what you would have earned had the breach not occurred) and the costs to restore/recover data and operations (e.g. overtime work incurred).

 

Insuring clause D is for cyber extortion in the event that you are held to ransom. It covers expenses for specialists to investigate and mitigate a cyber extortion threat and, where required, expenses for specialists to negotiate and settle extortion amounts.

 

Insuring clause E is for digital media liability. This is for the liability associated with content that is published or broadcast (e.g. social media content, videos, graphics, audios, etc.) that results in defamation, unintentional infringement, or unintentional invasion or interference.

 

Depending on your specific business type, there are some optional modules that you can purchase:

Initial response phase: waives your deductible for a period of 72 hours. This is typically only offered to clients with a very large deductible (e.g. R250 000 or R1 million deductible).

 

E-financial loss: covers the theft of funds (the unrecoverable loss of money belonging to, or for which you are legally responsible), which is specifically excluded from standard cyber insurance policies but can be extended if requested.

 

Outsourced service provider (OSP): means you can extend your cyber policy to cover an outsourced service provider for the provision of the services that they provide to you.

 

Physical damage: covers the cost to replace or repair any direct physical damage of tangible property as a result of a system incident.

 

Phone phreaking: covers the costs associated with your phone system being hacked (e.g. premium-rated calls).

 

Payment card industry (PCI): applies to the fines and penalties incurred by a merchant as a result of a breach of debit or credit card information. If you are a merchant accepting debit or credit cards, you must be Payment Card Industry Data Security Standard (PCI DSS) accredited under the Security Standards Council (SSC).

 

It is important when underwriting a cyber policy that you disclose how many records you are storing—not only current employees and active clients, but taking into account your data destruction policy and how far back your records date. It’s important for you to quantify and understand your business in terms of true exposure before a breach occurs.

 

Also, because POPI is strict liability and no negligence is required, it means that your cyber insurance policy can cover fines and penalties imposed by the regulatory body under POPI.

 

Q: How do we respond to a cyber incident?

You should immediately assemble an incident response team comprising top management as well as the following:

• Insurance broker and underwriter linked to your cyber policy to ascertain how your policy will respond.
• Attorney who is experienced in cyber breaches.
• Forensics specialist to investigate how the incident occurred.
• Incident containment specialist tasked with cleaning up the systems, recovering data, removing any malware, and helping to quantify your business interruption.
• PR company to deal with crisis communications and the reputational damage associated with a cyber breach. You will also need to notify all affected parties.
• Remediation services specialist to deal with credit and identity theft monitoring.

 

Q: How do I establish what cyber Insurance cover limit I need for my business?

The Ponemon Institute estimates that it will cost you R2 325 per record breached (Cost of a Data Breach Report 2020), and you need to assume that every record will be exposed.

 

You can calculate your base limit of cyber cover by adding your number of employees and number of clients (taking into account your data destruction policy and how far back your records date). Then multiply this number by 2 325 to reach your base limit.

 

If you are an SME, another way to calculate your limit is by half revenue, revenue, or double revenue.

 

Also note that the higher your deductible is, the more it will bring down your premium. The deductible is the amount paid out of pocket by the policyholder before an insurance provider will pay any expenses.

 

For instance, iToo’s minimum deductible is R15 000. The minimum limit is R1 million, the maximum limit is R150 million, and there is excess layer insurance available if you require a higher limit.

 

Your insurance broker and underwriter will assist you in establishing what cover and limit are best suited to your business needs.

 

Q: What is excluded from cyber insurance policies?

Key exclusions of a standard cyber insurance policy are the following:

• Prior circumstances and litigation, i.e. your policy will not cover an incident that occurred prior to its inception
• Company conduct
• Bodily injury and property damage
• Service interruptions, professional services, product liability
• Contractual breach, e.g. if you are using outdated or pirated software
• Pollution
• War, riot, terrorism, and confiscation
• Trading losses and monetary transactions
• Software
• Hardware, computer systems
• Unauthorised collection
• Betterment, i.e. a policy will not pay to upgrade your system
• Minimum security requirements

 

Q: What are the minimum security requirements for a cyber insurance policy?

Minimum security requirements are a condition of cover and have to be in place at inception (when your policy is purchased). They must be maintained throughout the duration of the policy. These are analogous with cyber risk mitigation measures and best practices that your business should adopt whether or not you decide to take out a cyber policy.

 

The minimum security requirements are:

• Firewalls implemented to restrict access to digitally stored sensitive information.
• All sensitive systems secured in accordance with the insured’s technical security requirements and/or standards.
• Antivirus and/or anti-malware software implemented on all desktops, laptops, and sensitive systems.
• Security-related patches and updates applied within 12 months of release by the provider.
• Password controls implemented on sensitive systems. These controls must include:
  • Password length of at least 8 characters comprising lowercase letters, uppercase letters, numbers, and symbols.
  • User account passwords changed at least every 120 days.
  • User accounts configured to lockout as a result of at most 20 failed authentication attempts
  • Accounts prevented from re-using the same password for at least 5 changes.
  • All default installation and administration accounts to be secured through either disabling/deleting the account or changing the password from the default password.
  • Where possible, all default installation and administration accounts which can be directly authentication with, and are not secured through disabling/deleting the account, must be renamed on endpoints and servers.
  • All unused installation and administration accounts must be disabled/deleted within 90 days.
• Secured channels such as multi-factor authenticated virtual private network (VPN) connections.
• Account privileges must be restricted to the minimum required level to perform required business functions.
• Controls implemented to restrict wireless network access.
• Controls implemented to restrict physical access to offices, server rooms/sensitive processing facilities, and, if applicable, remote locations.
• The system and/or activity logs stored for a minimum period of 6 months for the purposes of forensics investigation and compliance with POPI.
• User privileges must be revoked within 30 days of termination of employment.
• Documented and management approved disaster recovery and business continuity plans.
• Generate backups at least weekly.
• Monitor for the successful generation of backups.
• Test the ability to restore data from backups at least every 6 months.

 

Many of these requirements do not cost anything to implement unless your business dos not already have the primary cybersecurity software in place, e.g. antivirus software, firewalls, VPNs, etc.

 

Q: How do we insure our companies against cybercrime?

If you are interested in finding out more about cyber insurance, you must contact your SATIB insurance broker, who will then work with an underwriter like iToo to ensure that you have the right cover in place to match the needs of your business.