Whatever the field, it matters to use accurate terms. While baking, it is best not to ask for baking soda if you need baking powder. In basketball, it’s a hoop, not a ring. Coincidentally, you spar in a boxing ring (that happens to be square). In the world of data breach research, the term VERIS refers to the Vocabulary for Event Recording and Incident Sharing (VERIS). Effectively, it is a term for the thing that catalogues the other terms.
The creation of this specific lexicon is the result of an acute need to establish a standardized approach to battle data incidents and breaches. According to Verizon’s 2020 Data Breach Incident Report (DBIR), a comprehensive 119-page report on the world of data breaches, there were 157,525 incidents and 3,950 breaches in 2019.
The events vary; the threat actors (those behind the events) and the threat actions (the tactics used) always differ. However, trends emerge. And from those trends, we must together craft solutions to combat the efforts of the threat actors.
For hospitality – PoS threats trend downward while BECs trend up
In 2015, malware and/or skimmer attacks on PoS were the scourge of hospitality. While still commonplace (accounting for 16% of the industry’s breaches1), such attacks have declined. Unfortunately, that does not mean there is no longer reason for concern. Instead, concern has shifted to Business Email Compromises (BECs).
It’s necessary to draw a line of distinction between BECs and your garden-variety email scams that happen to be sent to someone’s work email. BECs tend to be orchestrated and targeted cyber crimes. According to the App River 2019 Global Security Report, “[criminals] gain enough data to launch highly personalized attacks which netted attackers billions of dollars over the course of the year.” BECs, in particular, cost $157K on average2.
It’s the scenario such as a threat actor striking for a quick payoff via Ransomware and infecting with malware (i.e. Trojan, Backdoor, C23) to capture data that makes BECs the threat du jour for hospitality. And unlike PoS attacks, the compromised data may include payment data as well as personal data. The industry’s current tendency to focus on securing the payment card environment only serves to exacerbate the vulnerability.
3 BEC threat actions that the hospitality industry should watch for
- Living Off the Land: Criminals abuse legitimate services/platforms such as SharePoint, Dropbox, OneDrive, etc. from previously compromised accounts4. The criminals use the credentials to mine for information on new potential victims.
Why does this work? Because the platforms are legitimate, they seem less suspicious to the hapless recipients whom the criminals are targeting. Plus, many platforms provide valuable analytics that can inform the criminals what is working and what is not. Compromising CRM platforms (e.g. Salesforce.com) is a particularly valuable approach for the bad guys.
- Impersonation: After gathering company information, often from publicly available sources (e.g. LinkedIn), criminals launch highly personalized attacks by email and other platforms (e.g. SMS)5.
Why does this work? The cross-platform approach earns false legitimacy in the eyes of the victim and neutralizes standard email security solutions.
- Ransomware: Once upon a time, a Ransomware attack was usually considered a data incident rather than a breach because encryption, until a ransom payment is made, does not mean the data itself was compromised. However, the compromising of data during ransomware attacks has increased (up 2.6% from last year6).
Why does this work? Criminals can easily hire out the work through Ransomware service providers who target victims that neglect their security by using weak passwords, fail to use multi-factor authentication7, and neglect their backup mechanisms.
A note about email services in hospitality
In the recent past, many corporate email systems have moved to the cloud. Comparing the two leading solutions. Google Suite and Microsoft Office 365, we observed that the latter has become very prevalent in the hospitality industry. However, the cost sensitivity of hospitality business actors has led to a substantial adaption of the cheapest licensing methods designated E1 and E3. These solutions provide an excellent platform within which teams can collaborate but lack a robust security framework. It is of public knowledge that poor identity management security and flaws in inbound detection have contributed to a considerable uptick in BEC’s. As mentioned above, the theft of credentials (payment and personal) via the usage of phishing campaigns is a growing vector of attack.
What steps must we take?
A sub-par commitment to cybersecurity mixed with a service-oriented mindset that places a premium on openness and sharing places the hospitality industry at particular risk. Unless you are a very large organization that can afford the financial cost and complexity of in-house cybersecurity our recommendations are to train your staff and outsource the protection of your digital assets. We propose the following solution:
Email threat protection to solve all three BEC threat actions
The best solution would be if fraudulent emails never made it to your inbox. Then, the threat actions would have been rendered useless. The best threat intelligence technology relies on a robust security platform and expert human analysis to identify threats and evolve defenses in real-time, keeping businesses safe from brand-spoofing attacks, BEC attempts, conversation hijacking, and other potentially harmful forms of social engineering.
Email security defends businesses and trusted individuals from targeted email attacks. It is recommended to deploy technology that checks deceptive email address sources against key display names and quarantines or flags the message.
In the real world, threats evolve and threat actors are always looking for new ways to gain access. That’s why it’s always best to take a layered security approach. Today’s best layered security approaches use technology like AI with “Next-Gen Endpoint Protection” security tools to combat them in real-time to avoid and/or reduce damage. Adding web protection monitoring/filtering, strong firewall management, and threat monitoring to assess file integrity on your servers from the inside are also all part of a healthy layered security posture.
About the authors
With 30 years in the industry which 25 were fully dedicated to hospitality technology, Marco Correia is an industry veteran who has a deep understanding of hotel and travel businesses, technology and how to bridge them together to achieve business success. During his career, Marco occupied senior-level positions in hospitality and travel companies such as Belmond and Orient-Express Hotels. He was responsible for large scale projects that summed multiple millions of dollars.
Daniel Johnson is a VENZA Partner and Co-Founder. His function revolves around developing, communicating, executing, and sustaining VENZA’s strategic initiatives. Daniel earned his MSc. from the University of Bristol, England. Before co-founding VENZA, Daniel founded and ran Music for Charities, a tech-based engine built to promote independent music and raise money for non-profit organizations. He was also the Director of Training Delivery at American Systems.
Find out about the features of VENZA’s Email Threat Protection Program in this guide.
1, Verizon 2020 Data Breach Report pg. 44, 3 (pg. 45)
2. AppRiver Global Report pg. 7
3. Verizon DBIR 2020 pg. 45
4. AppRiver Global Report pg. 5
5. AppRiver Global Report pg. 8
6. DBIR 2020 pg. 9
7. AppRiver Global Report pg. 10