Hyatt Hotels Corporation’s announcement that guest payment card information was likely accessed by unknown cyber criminals from 250 hotels across the world between August 13 and December 8, 2015, is a reminder of how important cyber security is to your organization. According to their press release the criminal used malware to gain access to the environment and then collected payment card information from restaurants, spas, golf shops, parking and a limited number of front desks. One difference in this announcement from most credit breach disclosures is the breadth of the breach. Although presented as a “small percentage”, the cyber criminals were able to cross departments from the restaurants into other areas of the hotels. The breach was nefarious, possibly diabolical, and undoubtedly clever, but nevertheless very preventable.
The Payment Card Industry (PCI) Data Security Standard (DSS) requires adherence to hundreds of specific security controls to maintain proper compliance. But the PCI DSS only applies to the Cardholder Data Environment (CDE), a part of the network most organizations spend a lot of time and effort shrinking as small as possible. The rest of the environment, including the network, systems and applications, often have lackluster security because there is no compliance mandate to appropriately secure them. Cyber criminals look for weak points in an environment, establish a foothold and then use their access to find entry points into secure networks and search for sensitive information. So where do you think they will attack first?
Securing an environment requires more than just compliance; it requires an enterprise approach to an ongoing program: assessing controls, mitigating vulnerabilities and improving security based on a solid security framework supported by layers of preventative and detective controls. Regulatory and compliance requirements have to be properly addressed, but they should be addressed as part of a security program designed to protect the entire environment, not just a small portion of the environment.
Here are a few tips to help you get started on addressing security across your environment:
- Senior Management Support – Whether driven by the board or championed by an executive, resources are required and that means senior management support.
- Know Your Environment – Understand what information is collected, processed and stored in your environment and where it is in your environment.
- Prevent and Detect – Layers of preventative and detective controls are needed to prevent what you can and detect what you cannot.
- Assess, Mitigate and Repeat – New vulnerabilities and threats are identified on a daily basis; keeping the threats at arm’s length requires a continuous approach;
- Prepare – A security incident is inevitable, and a breach is definitely possible. Prepare and practice both incident and breach response plans.
- Include Service Providers – Vendor risk management practices are critical to protecting your environment and your information. Make sure you include service providers in your assessments.
If you have questions or need assistance, please feel free to contact your RubinBrown advisor or any of our Cyber Security Advisory Services professionals.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties. Gaming Services Overview