5 tips on PMS security for property managers according to a cybersecurity expert
Accommodation managers hold a wealth of sensitive data in their property management databases - from guest details such as name, email address and mobile number, to full card details and passport information. If security is something you consider as a bit of an afterthought, your entire system could be at risk of a cyber attack.
We asked cybersecurity expert, Jon Inns from Threat Status, to give us the low-down on five key areas that centre around cybersecurity and how businesses can protect their professional databases.
RMS: Thanks so much for joining us, Jon. Firstly, can you tell us what the biggest threats are to businesses in the accommodation industry?
Jon: In the past, organisations that received card payments from consumers were a popular target for cyber attackers due to the significant amount of cardholder data passing through their systems. That, coupled with the fact that PoS systems are traditionally not well maintained or outdated made them an easy target for attackers trying to inject malware onto those devices with the goal of stealing credit card information.
While this is still an active attack, the Verizon 2020 Data Breach Investigations Report (DBIR) has highlighted a shift in direction for attackers recently stating that “Point of Sale (PoS)-related attacks no longer dominate breaches in Accommodation and Food Services as they have in years past. Instead, responsibility is spread relatively evenly among several different action types such as malware, error and hacking via stolen credentials.”
This means that while the end game remains the same for criminals, which is to make money from their endeavours, they have now identified quicker, easier and more effective ways to convert cyber attacks against accommodation providers into cash.
Convincing insiders to part with funds accidentally (invoice fraud) or crippling systems and demanding money for recovery (ransomware) are now the more common types of attacks. These are less technically sophisticated than previous PoS attacks but far more effective at monetising quickly.
RMS: How do online attackers hack into user’s accounts?
Jon: Cybercriminals are always on the lookout for the best and most efficient ways to help unsuspecting businesses part with their money. Currently, the most popular methods are in the form of either invoice fraud or ransom demands.
Invoice fraud revolves around confidence trickery. By identifying someone within the organisation with authority to execute payments or adjust payee account information and then masquerading as someone they trust, attackers can apply the right pressure to entice the victim into making a financial transfer to a fraudulent account. It might sound unlikely, but with the right timing and persona, these attacks can cause devastating financial losses to organisations.
Making payments usually requires a level of knowledge about how the company handles money. It might also require some special security steps such as entering authorisation codes, especially for sensitive operations like changing banking details. It’s complex, troublesome and attackers might get caught – so it’s not their focus to try and do that directly.
What they really want is to achieve a level of credibility. To do that, they can access computer systems to make themselves convincing. An email from a Nigerian prince using Hotmail isn’t going to fool anyone, but a well-worded email coming directly from an internal address might just do the trick. Here are two examples of trickery:
- Someone in accounts receives a highly convincing email from their stressed CFO asking for a rush funds transfer
- An in-context email arrives from a supplier about changing bank details shortly after having had a discussion with them about an invoice payment
If attackers can gain access to corporate email systems, then they have a vast amount of historical chatter (thanks sent items!) to help them pick the right people, message tone and timing for a successful attack.
The other blunter method is ransomware, which has risen in success due to its simplicity to execute and its effectiveness. Ransomware can effectively shut down a business, and for organisations with poor backup and recovery plans, the only option (against all cybersecurity advice and principles) may be to pay the criminals. Demands for payments can range from a few thousand dollars to millions. Victims are often left with no alternative but to pay, as without unlock keys, they risk being unable to function. To top it off, they usually have the added threat of having all of their data leaked online, further impacting the businesses reputation.
RMS: How do attackers gain entry?
Jon: One of the most common ways attackers gain entry is through obtaining usernames and passwords for your company - so the question now becomes, how do they get access to your usernames and passwords!?
Well – unfortunately, this isn’t always too difficult. The first approach is using phishing techniques.
Phishing is a well-known attack whereby an email is sent to the user asking them to click a link and carry out some online activity, like updating their email login details. It looks convincing enough and will fool many users who have not had adequate security training, but what users actually see is a fake page controlled by an attacker. As the user updates their details, the attacker captures the information, and an error message tells the user that the update failed. The attacker now has what they were after – a valid username and password.
[Read our recent blog post on phishing to find out more about this type of attack].
The second approach uses data leaked from online applications. According to the Verizon 2020 DBIR report, 37% of all breaches stole or used credentials.
Millions of usernames and passwords are leaked every month through attacks against applications we all use every day, such as personal shopping sites, online games, business forums and so on. Threat Status provides a service which monitors and reports leaked usernames and passwords - in July 2020 alone, we discovered over half a billion leaked user credentials from third-party data breaches.
Criminals often share this leaked data among one other, knowing that many of us use the same password for multiple services. Imagine for a moment that you use an online service for making marketing videos, and you sign up to that service with your work email and a favourite password. A few months later, that marketing video site gets hacked, and the data is stolen. An attacker now has your work email address and password; more importantly, they know you might use that password frequently. This could be very useful for hacking into a corporate system.
RMS: What information would you give businesses who have limited knowledge in cyber attacks?
Jon: In IT security, we talk a lot about Defence-in-Depth. What that means is that there are multiple ways you could be attacked, and therefore you need multiple layers to help protect yourself. Here are a few things to bear in mind:
- Cyber attackers are a bit like school bullies trying to steal lunch money. They pick on the weak because there are fewer obstacles in the way. The same goes for the majority of cyber attacks, where criminals are looking for the weakest industries and organisations. They don’t have a particular vendetta against hoteliers or the accommodation industry, but if your IT is not well maintained or your staff aren’t trained in what to look out for, then you will become an effective target.
- If your database is weak, you will probably suffer an attack at some point. It takes minimal effort for a criminal to identify and attack a vulnerable company, so it doesn’t matter if you think you’re too big or too small to be worth the trouble. Cyber attacks are becoming a numbers game now, and if an attacker can find a way to extract your cash, then it’s worth their time trying.
- Most cyber attacks are not highly sophisticated, despite what you read in the news. They often use simple but effective tricks, so you need to focus on taking the appropriate security steps to avoid falling into the “weakest” bracket.
RMS: How can businesses protect themselves from being vulnerable to attack?
Jon: There are many preventative steps that you can take to protect your professional database from cyber attacks:
- Have a process that prevents payments to new or updated payee account details without rigorous checks and balances, even if the request is from someone well known, such as a senior manager or trusted supplier. Never rely on an email being truthful; it could be someone manipulating the system from outside of the organisation.
- Keep all your IT patched and up to date. Malware takes advantage of software flaws that are fixed by vendors, but if you don’t patch your software, flaws remain exposed. Don’t forget your PoS systems which are frequently outdated.
- Implement two-factor authentication on systems like email if possible.
- If you have public-facing web applications, have them independently checked frequently (at least annually) for security vulnerabilities by ethical penetration testers.
- Have a recovery plan. Know that you can restore your files and systems if you do get hit by ransomware. It’s here for the long haul so be prepared.
- Don’t forget to communicate. Nobody wants to be attacked, but that’s what it is – an attack. Organisations who quickly and transparently communicate an attack are often applauded by industry. Organisations who bury the news rarely enjoy the same admiration when the news eventually comes out. There are lots of specialists available who can help you handle your incident if you need them.
[Check out our previous blog, 6 ways to protect your business from cyber attacks, for more insights.]
We hope this insightful Q&A session has given you and your business plenty of food for thought when it comes to protecting your database from unsuspecting cyber attacks. Stay tuned for the final blog in our security series which will include a downloadable security checklist for you and your staff.