With POPIA in place and data protection more important than ever before, it’s time to assess your risk. How vulnerable do you think you are? The answer might surprise you.
Simon Campbell-Young, VP Global Sales Digimune and Lwando Cwane, Underwriting Specialist: Cyber, ITOO Special Risks, recently discussed during a SATIB webinar how exposed small hospitality businesses are and what they should do to protect themselves.
“In the last 18 months, the risk landscape has completely changed,” said Lwando. “We’re seeing the sophistication and the frequency and the severity of cyber incidents increasing. We’ve also seen an increasing number of small businesses seeing some kind of data breach.”
Lwando explained your key risks in the hospitality industry are the types of data that you collect from your clients, such as IDs and credit card data.
“The cybersecurity threat landscape is just booming for want of a better term. It’s out of control with ransomware at an all-time high, but also the theft of data from ‘technically’ safe networks,” said Simon.
Where are hospitality businesses most at risk: in the storage of information? In the collection? Where are the weak spots?
POPIA is a tricky area, and businesses need to be aware of the pressure POPIA puts on them.
In the UK and Europe, when GDPR came into effect, every business was fast-tracking to acclimatise to the new restrictions and requirements. As a result, the hacking community was working hard to try and get a foothold in systems where people might lag behind.
The truth is that wherever data is being stored is a potential target zone. And wherever information is then being transferred is an easy target area. For example, if your website is collecting and storing data, that’s an easy place for hackers to infiltrate.
The individual who collected data originally is officially the custodian of that data and responsible for it.
What tools can be used to safeguard information?
Encrypted secure networks are an essential tool to transfer data. Encryption will slow down hackers from getting information.
What will insurance companies look at when a company has been hacked?
An insurance company will investigate whether you, as a business, have put adequate measures in place to protect yourself. This could include:
- Employee training
The weakest link in cybercrime is always human. So, train your staff, so they know how to identify phishing scams. They also need to know the importance of a robust password policy and multifactor authentication.
- Endpoint protection
Are you using reputable antivirus software on your machines? Are you applying patches? Are you using encryption?
- Understand your security posture
You need to think about your security posture proactively. Remember that a bunch of hackers are thinking about it all day, every day. Make sure you have an on-premises security posture that includes protection of devices and training of staff.
- Put in place a risk mitigation solution
Put in place a risk mitigation solution that will help you monitor your off-premise risk profile: any leaked information or exposure across the web.
How affordable are these solutions for small businesses? And do I need a professional to help me?
At a cyber level, it’s completely affordable. There are very clever tools available that are not expensive and are highly sophisticated.
And if you think it won’t happen to you as a small business, it definitely will.
Small businesses are high-value targets because hackers can infiltrate millions and millions of them in one hit. It’s very simple. It doesn’t necessarily need to be a sophisticated, targeted attack. It can be a mass drop. SA is losing on average R2.2bn in cyber-crime.
Small businesses are in a dangerous space in terms of managing their own data, managing their information and managing their security.
What if I become the victim of an attack? Will insurance cover me?
Insurance will give you a defined incident response process. So, when you purchase a product, you will get access to leading experts who will help you with your breach
You will have access to:
- An IT forensic team: they will come in when you realise that you got a breach and help you get back up and running as soon as possible.
- Legal experts to assist you with liability issues.
- A reputation management team who will assist you with brand reputation damage.
Your policy will also include elements such as your sub extortion. So should you have an extortion demand resulting from ransomware, the team will negotiate with those hackers. They will assess whether the hackers have the information they claim they have, and secondly, they will try to get the ransom as low as possible.
Meanwhile, the team will be working in the background to try and decrypt the systems to get you back up and running as soon as possible. If they can’t decrypt the systems, the policy will go as far as to pay for those ransoms.
The policy will also include first-party impact. It will cover you for downtime and additional resources as a result of business interruption.
What happens to your customers who have purchased tickets from you or who have reservations that might have been cancelled due to the hack?
The policy will help you to represent yourself in court for those liability issues and pay for any damages and settlement debts that may ensue.
What should I do when I’ve been hacked, and I don’t have cover in place?
The first thing you should do is run for your backup. And hope that your last backup was pre the ransomware arrival, because then you can recover.
How often would you recommend that someone in the tourism and hospitality space do backups?
From a personal level, it is advised to back up daily. It’s so easy. It’s cloud-based now.
Suppose you’re an organisation and transactional (you are collecting loads of data and transacting loads of data). In that case, it is advised to have an automated backup running daily. If your data goes missing and you experience a ransomware event, you can’t transact.
Backups are your first port of call.
Is there any indication as to what data hackers are after?
Banks and banking data are much more sensitive, a lot more lucrative than just your name and address. However, having access to a database of names and emails can be used for phishing scams.
How do you delete data on your PC?
There are shredding tools and data destruction tools. Just deleting it is not enough.
If personal data is held by a third-party service provider and is attacked, who is responsible?
You remain the data custodian. You collected that data. You are the touchpoint for that client. Therefore, liability will be on you.
