Opinion: Cyber risk in the leisure and hospitality sector, is your business protected?

By Sheila Pancholi, Partner, Technology Risk Assurance, RSM UK

Cyber crimes are growing on a global scale and the leisure and hospitality sector is not immune to this. There are particular, and very real threats to consider. Large customer databases and high transaction volumes present across the sector make data particularly attractive to criminals. In fact, surveys in recent years cite the leisure and hospitality sector as one of the most vulnerable, with the sector in the top three of industries most frequently targeted. Here are some interesting facts about cyber crime in the sector:

  • Half of all attacks involve the theft of cardholder data and personally identifiable information.
  • 65 per cent of security breaches arise from point of sale systems.
  • In the past 18 months several major hotel groups have had customers’ credit card details hacked, while in December 2015, JD Wetherspoon reported a data breach to customers.
  • A recent government survey revealed nearly seven out of ten attacks on businesses involved viruses, spy ware or malware.
  • Despite experiencing a breach at least once a month, only half of businesses in the sector had taken any recommended actions to identify and address vulnerabilities.
  • Only a third of sector businesses have formal written cyber security policies, and even fewer have an in-built management plan in place.

The sector is constantly under pressure from customers to deliver innovation whilst maintaining value and quality. This is made more difficult by today’s customers being digitally savvy and requiring personalised interaction through diverse channels and increasingly utilised mobile technology. Against this background of user-driven technical change, businesses need to stay ahead of threats by maintaining a digital strategy which will help to protect customer data and maintain customer confidence.

Who's at risk?

Cyber security is a real risk for restaurants and hotels with common threats that include:

  • unauthorised access to systems;
  • sensitive credit card information leaks;
  • cross-system attacks;
  • malicious software;
  • IP infringement;
  • cyber extortion;
  • customer data sold on black market;
  • phishing;
  • fake reviews; and
  • online scams.

As a result, anyone in the industry should ask the following fundamental questions:

  • How secure is your network?
  • What do you know about data protection and the associated risks?
  • How much data is there? Where is it stored?
  • Do you encrypt your data at rest, in transit, and in mobile devices?
  • Can your networks be accessed through unsecured public wifi?
  • Is there security and privacy training for your staff?

How to mitigate risk before a cyber event

Sheila Pancholi, Technology Risk Assurance Partner at RSM commented:

"No matter how secure or resilient a company's system may be, perfect security does not exist. It is not a matter of if but when."

Against this backdrop of the inevitable, the time to prepare for a cyber-incident is not while an attack is ongoing. A critical aspect of cybersecurity is preparedness.

Defence against data breaches comes in many forms, however, a few tips to prevent data breaches and avoid being the victim of a cyberattack can include:

  • Installing security software on your company’s servers and computers that can provide real-time protection and automatically receives the most up-to-date malware definitions.
  • Making sure your firewalls are enabled and updated regularly with security patches.
  • Training employees on security policies and practices. Employees should be required to use complex passwords and change them frequently.
  • If employees are using mobile devices to access your company’s network they should be equipped with hardware and software data encryption and passwords or PIN locks should be used.
  • Securing your company’s wifi network, both at the office and at the jobsite, by encrypting your wireless signal, securing your router with a password and filtering addresses of devices so only employees and authorised personnel can access your network.
  • Regularly backing up data offsite or with a trusted cloud storage provider.

If you would like to discuss cyber crime in more detail, please contact Sheila Pancholi at RSM

RSM is proud to sponsor the 2016 Future of Finance & Development Seminar.