Over the past few years, it seems that the hits
just keep coming. Hits to cybersecurity, that is.
In 2014, the U.S. Office of Personnel Management’s systems
were breached, revealing the personnel files of at least 4.2 mil-
lion former and current federal employees. In 2015, Anthem, the
largest for-profit managed-health company in the Blue Cross Blue
Shield Association, disclosed that a database with approximately
80 million patient and employee records was exposed. This past
fall, Kimpton Hotels confirmed a breach of payment-card informa-
tion at more than 60 hotels and restaurants that went undetected
for more than six months. And WikiLeaks released thousands of
hacked emails from DNC accounts, U.S. intelligence officials alleg-
ing that Russia was behind the break-ins in an attempt to interfere
with the presidential election.
In addition to data breaches, there’s also the threat of ransom-
ware, in which a type of malware installed on a computer or server
encrypts the files, making them inaccessible until a specified ran-
som is paid. It’s on the rise, with the total volume of ransomware
samples known to Intel Security’s McAfee Labs topping 7 million in
2016, a 128-percent year-over-year increase from 2015.
“The reports are very concerning,” says Georgios Mortakis,
vice president and chief information security officer for ILG. “In this
environment, everyone in an organization needs to take respon-
sibility for data security; it can’t be just left to the IT department.”
Dangerous Game
The consequences of the above-mentioned events are many:
Consumers and employees are understandably upset when their
private information is leaked. A company’s public image will suffer
if shoddy security practices are revealed. In the case of ransom-
ware, paying a ransom or replacing lost data could cost hundreds
of thousands of dollars — or more. In addition, the Consumer
Financial Protection Bureau (CFPB) recently announced it will be-
gin enforcement in the area of data security, beginning by fining
Dwolla, an online payment platform, US$100,000 for misrepre-
senting its systems as secure.
“The Federal Trade Commission was already active in this area,
and now the CFPB is joining in,” says Peter Moody, vice president
of business development at Equiant, a leading loan-servicing pro-
vider. “If there’s a breach, companies need to demonstrate they’re
responsible actors and have a comprehensive and effective
compliance-management system. If the agencies find deficien-
cies, the penalties will be more severe.”
That means information-security professionals have a difficult
task: They have to keep up with cyber criminals and the tools to
fight them, check off a growing list of compliance requirements,
and monitor the security practices of their business partners and
employees.
“We have to go above and beyond to minimize risks,” Mortakis
says. “We can’t eliminate all threats, but we can reduce their
impact by mitigating identified vulnerabilities. As an analogy, if you
live in South Florida, you could be affected by a hurricane, so you
should be prepared. You can’t stop a hurricane from happening,
but you can buy storm shutters. If there’s an incident, we need
systems in place to identify the threat immediately, and reduce or
eliminate its impact.”
The Weakest Link?
Because so many incidents begin with employee errors, a thor-
ough training program, along with access controls, is essential. “All
employees need to have training in security awareness,” Mortakis
says. “In addition, you have to enforce the policies and procedures
they’re being taught.”
A common door into an IT network is
phishing
, malicious cor-
respondence trying to get the recipient to take the bait in the form
of an attachment or embedded link. In Verizon’s 2016
Data Breach
Investigations Report
, 30 percent of targeted people opened a
phishing email, 13 percent clicked on a phishing attachment, but
just 3 percent of targeted individuals alerted management of a
possible phishing email. Although you can train employees not to
open suspicious emails, the “bad actors” out there are devising
better and better strategies to entice them to do so. For example,
a recent rash of phishing emails looked like an official email from
FedEx, with an attachment about a missed package delivery.
JANUARY – MARCH 2017
RESORTDEVELOPER.COM
VACATION INDUSTRY REVIEW
9
Data Security
BY JUDY KENNINGER
NOT JUST FOR
bluebay2014/Deposit Photos
1,2,3,4,5 7,8,9,10,11,12,13,14,15,16,...25