Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
It is no surprise to anyone that certain industries are more of a target for cyber criminals than others, although today all businesses are likely on the radar. The financial institutions and large retailers usually get most of the attention. However, four industries are high-value targets, and lag behind the preparation curve: hospitality, healthcare, higher education and legal.
According to Verizon's 2016 Data Breach Investigation Report, the data-rich hospitality industry continues to struggle in this area, with Accommodations ranking as the industry with the highest reports of incidents as well as data losses. White Lodging, whose portfolio contains 169 properties, was the victim of data breaches twice within a year.
P.F. Chang's suffered a high-profile breach, as did Starwood Hotels & Resorts, while Hollywood Presbyterian Hospital was the victim of a ransomware extortion hack that required a $17,000 payment to the criminals. Research-focused universities have been the subject of state sponsored hacking, and earlier this year major law firms acknowledged their problems with intrusions.
Enticed by these four industries' high customer volume, access to personal data and trade secrets, cyber thieves have no reservations attacking entities in these industries. What makes them vulnerable are the numerous access points into the network and high employee turnover.
For example, some hospitals now have a laptop in almost every patient room as well as on service carts that are often left unattended in hallways as nurses move about the floor. In higher education, thousands of students, alumni and professors can be in a college's system.
Bob Russo, GM of the PCI Security Standards Council, has stated that “franchised hospitality locations are at an exponentially greater risk. Standardization of computer systems among the franchise (and hospitality) models is common and, in the event a security deficiency exists within a specific system, deficiencies will be duplicated among the entire franchise base.”
Law firms are also at a higher risk because they generally allow every employee access to their entire network of client files.
Unfortunately, the common belief is that many businesses in these industries are not implementing best security practices due to the lack of industry standards, poor implementation of software and security, and the overall nature of these industries where broad access into the network is common.
Verizon's 2016 Data Breach Investigation Report places hospitality, healthcare and education among the top eight industries having the largest number of security incidents with confirmed data loss. And just when things can't look worse, ransomware is exploding across the cyber universe. Make no mistake, each of these sectors maintain valuable data that criminals have myriad ways to monetize. Financial motive remains by far the number one factor for perpetrating cyber crimes.
Tips to Manage Your Cyber Risk
Given that cyber criminals have identified four industry sectors as soft targets, what can be done to deny the criminals? Here are 10 tips from industry watchdogs:
One major source of the problem is employee negligence. Phishing attacks remain a potent method to infiltrate a network. Because these four industries have such large numbers of people in the system, the likelihood of success for the hacker is even greater.
The Verizon report notes that, in a testing of employees, 30% will open a test phishing message, and another 12% will click on it. These numbers are a dramatic rise from the last two years. Employees remain the weak link in network security, and this is a huge source of vulnerability to these industries. Employee education and training are highly critical; employees must be educated on why the rules are in place and how their missteps can create catastrophic exposure to their firm or company.
Checklist for Purchasing Data Privacy Insurance
This last point cannot be stressed enough. The market for data privacy insurance continues to evolve as insurers use vastly different forms to write the coverage. Because of the disparity in the policies, where the devil is truly in the details, it is imperative for these vulnerable industries to be more proactive in purchasing cyber insurance. Here are some tips in placing data privacy coverage:
Because these four industries do not see themselves as likely targets, they have been behind in considering and placing data privacy insurance. That is a mistake. The costs associated with restoring data, closing the entry point into the network, and public relations can be huge. These industries need to realize that the major costs in a data breach incident are not related to liability to customers, but to internal costs. Shifting the risk to insurers needs to be a critical part of any data privacy program.
Ransomware: The Next Frontier
According to a report from Intel Corp.'s McAfee Labs, the number of cyberattacks where malware holds user data “hostage” is expected to grow in 2016 as hackers target more companies and advanced software is able to compromise more types of data. See, “2016 Threats Predictions.”'
Malware encrypts files on a system's hard drive using an unbreakable key, and this is decrypted by the attacker once a ransom is paid, typically by online currency, such as Bitcoin. The malware is usually delivered via e-mail, which makes the hospitality industry particularly susceptible in light of current trends to communicate with customers through e-mail.
The best defense is a robust backup of all data in an offline environment. Companies must also ensure their computer networks are regularly updated with security patches. Jens Monrad, systems engineer at FireEye, notes that “most malware will execute with the same privileges as the victim executing the payload. If the person getting compromised has local or global administrative privileges, the malicious code will have access to the same resources.”
Cyber insurance is the ultimate backstop in a cyber extortion situation. It can pay the ransom as well as the cost of restoring the network. But remember, it is critical that the insurance be properly placed at inception to ensure the coverage is there when needed.
The Scope of the Problem Is Growing
This year is likely to see a new rash of high-profile breaches in these industries. Hotels, management companies and restaurants are all vulnerable and remain prime targets for criminals. Smaller healthcare and higher educational institutions are ripe for ransomware attacks to extort payments. Law firms and their highly sensitive data make them perpetual targets for the organized crime sector. As the saying goes: “It is not if you will be hacked, but when.” When it comes to deterrence, the best defense is an aggressive offense. Now is the time for action.
Collin Hite leads the Insurance Recovery Group and the Data Privacy & Security practice at the law firm of Hirschler Fleischer in Richmond, VA. He may be reached at 804-771-9595 or by e-mail at [email protected].
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.