Cyber criminals operating on the dark web, buying and selling illegally-obtained personal data and other commercially-sensitive information, is now a well-established black market economy. Why should this concern you?
Businesses in the hospitality sector are a target for cyber criminals because of the personal data and other valuable information they hold.
What is the dark web?
The dark web is an online black marketplace where criminals can operate, buying and selling data and illegal goods and services, such as cyber attack software. It works on the principle of “onion routing” where anonymity is achieved by rerouting someone’s internet activity through many dispersed IP addresses, which hide the identity of the computer from which the traffic originates.
One estimate indicates that there are 1.7million individual connections on the dark web per day with over half of sites being used for illegal purposes.
An attack on your business
The market for personal data in particular is now well developed, which means that if a cyber thief can access your data, they can sell it on to others. It is then aggregated with other information bought illegally (e.g. the ID of compromised servers), or publicly available information (e.g. social media posts by your staff). This enables criminals to undertake more sophisticated attacks on your business such as socially engineered phishing, including falsified emails and telephone calls. In this way, random attacks are followed by more focussed attacks.
Other attacks may include encrypting your data and seeking a ransom for its release. Spyware and unlawful money transfers commonly result. There are many examples of companies in the hospitality sector which have suffered this fate.
Losing customer data, financial data, details of your commercial plans and activities, financial theft and damaged reputation could be catastrophic. And failing to take the necessary steps to protect personal data is now a breach of the law as well as potentially a breach of any relevant professional obligations.
How do you protect your business?
It is essential that you carry out a proper risk assessment of your systems and security arrangements, and cure vulnerabilities, in respect of the three key areas.
Technology: firewalls and anti-virus software are a given, but unless they are properly set up and configured correctly, criminals will get round them. Undertake penetration testing and scanning to pressure test everything and find out where the leaks are (and there will be some!).
People: Many issues are caused by people falling prey to criminal tricks, such as false and impersonated emails, opening attachments containing malware, connecting an infected device or using a weak password. So give your staff proper cyber awareness training. Have them complete some tests to see what they have learnt. And then test the effectiveness of this by undertaking some simulated phishing attacks to discover what else needs to be done.
Governance: ensure you have the correct policies, procedures and maintenance arrangements in place to cover the risks of e.g. Bring Your Own Device (BYOD), password control, remote working, use of cloud platforms etc.
Doing nothing is not an option.