Hilton Hotels: Cybersecurity Risk Analysis"There are only two types of companies: those that have been hacked and those that will be." Robert Mueller, FBI Director, 2012. Cybersecurity has become a major concern for many businesses, and new challenges emerge every day. Hilton Hotels faces the reality of these daily challenges, creating a desperate need to identify, assess and respond to mitigate the associated risks. As a leading competitor in the hospitality industry, we are constantly under attack from cyber criminals. We are not alone in this. There have been numerous successful attacks against other players in our industry, causing drastic financial losses and stakeholder concerns. We must act, as an organizational whole, to implement an appropriate course of action. Say no to plagiarism. Get a tailor-made essay on "Why Violent Video Games Shouldn't Be Banned"? Get an Original Essay What are the chances of a cyber attack hitting our organization/Is it possible that cybercriminals could be in our systems right now? If so, what is our biggest risk? The chances of a cyber attack hitting our organization are more likely than not. In today's technology-driven world, threats are so numerous that the question is not “if” we will be attacked, but when. Whenever credit card information or sensitive data is stored, there is a high probability of security breaches attempting to acquire or modify that data. There is a high probability that there are cyber criminals in our system right now. Many of the recent cybersecurity breaches have been found to have gone on for months, even years, before being detected. Our greatest risk is the volatility and ineptitude of end users of our database and information technology system. Additionally, employees accessing our network from personal devices present another security risk. Given the sophistication of today's laptop and personal computers, with the added complexity of cloud server technology, it is more difficult than ever to not only prevent cyber attacks, but also detect them. The chances of a malware or other viral attack are greater from dissatisfied employees, according to a 2013 mathematical research study conducted by City University of London. Research also indicates that the main sources of these infections were transmitted through the use of personal computing devices brought into the workplace and/or connected to the company's information system. The probabilities are as follows on page two: The study reveals that this data is based on a sample and cannot show the truest probabilities of cyber attacks because it is impossible to parameterize all the likely variables that could lead to a cybersecurity breach. Therefore, the likelihood of a cyber attack against us is likely greater than these numbers indicate due to the nature and extent of the personal information for which we are responsible. In 2012 Wyndham Hotel Group was hacked in what is now known as one of the worst cybersecurity breaches of all time. Wyndham Hotels was responsible for allowing three separate instances of unauthorized access to its computer network and property management servers, which include customer payment card account numbers, expiration dates and security codes. 619,000 customer account numbers were compromised, totaling $10.6 million in chargesfraudulent. Breach 1: In April 2008, intruders breached a hotel's Internet-connected local computer network and their property management system. Over the next month, intruders used a brute-force attack to compromise an administrator's account. Using this technique, 212 accounts were blocked before they could successfully log in. Due to Wyndham's inadequate computer inventory system, they were unable to locate the computers causing account lockouts, leaving them in the dark about information about their compromised network for four months. Additionally, due to inadequate security measures between the individual hotel system and the corporate system, once the administrator's account was accessed, the intruders were able to access the property management systems of multiple Wyndham hotels. The server operating system used by the hotel was outdated and no longer supported by the vendor, so they did not receive security updates for three years. Once the intruders gained access to multiple servers, they installed memory-stealing malware to access card data during payment processing. In addition to stealing active data, they also accessed and stole files containing unencrypted past account information. By breaking into a hotel network, the intruders gained access to forty-one separate hotels and stole over 500,000 pieces of card account information. Breach 2: In March 2009, intruders again gained access to the hotel's network via a service provider's administrator account. In addition to using the same memory-scraping malware to steal information from the servers of more than thirty hotels, they also reconfigured Wyndham's software so that their systems created unencrypted files of all affected hotel guests. As a result of this breach, 50,000 customer accounts were accessed and used for fraudulent charges. Wyndham staff did not discover the breach until numerous customers filed complaints. Breach 3: In late 2009, intruders again gained access to Wyndham's network via an administrator account. And since nothing was done to restrict access between Wyndham hotels, the intruders again used the same memory-scraping malware to steal the account information of 69,000 customers from twenty-eight hotels. Again, Wyndham did not detect the intrusion, but was notified by the credit card company. (https://consumermediallc.files.wordpress.com/2015/08/120626wyndamhotelscmpt.pdf) Cybersecurity forms an important part of our organization's risk assessment and plays an important role in ensuring we achieve our goals. Cyber ​​risk assessment plays a key role in influencing management decisions regarding control activities and in determining what is protected and how it is protected. We must evaluate likely methods of attack and prepare defense strategies in response. As can be seen from the probability graph above, attacks can come from both internal and external sources. We must implement preventive and investigative controls, including general information technology controls. These controls will only be effective if you activate communication when a control indicates a problem. To ensure timely action takes place during a suspected breach, a map of the people who need to be notified should be created. As we saw with Wyndham Hotels, breaches went on for months without anyone noticing. With active controls and effective communication strategies, we can mitigatethese risks. First, we should “establish responsibility for the problem on an interdepartmental basis.” A senior officer with cross-departmental authority, other than the CIO, should lead a team. Next, we should “appoint a cross-organizational cyber risk management team with representation from all stakeholder departments. So, we need to meet regularly and develop relationships for the board.” Executives should monitor and report quantifiable metrics of the business impact of cyber threat risk management efforts. Internal audits of the effectiveness of cyber threat risk management should be conducted quarterly. Therefore, we must “develop and adopt an organization-wide cyber risk management plan and internal communications strategy across all departments and business units.” All stakeholders must participate in the development of the business plan and feel "understood". Finally, we must “develop and adopt a total cyber risk budget including sufficient resources.” Since cybersecurity affects the entire organization, its budget should reflect this, not being tied to one department. We should also ask ourselves the following questions: “What data and how much data are we willing to lose or have compromised? How should our investments in cyber risk mitigation be split between basic and advanced defenses? What options are available to help us transfer certain cyber risks?” (https://na.theiia.org/standards-guidance/Public%20Documents/NACD-Financial-Lines.pdf) The following are controls we should consider. 1) Identify the riskiest contact points and ensure the presence of adequate firewalls between individual hotel systems and the corporate system 2) Educate our employees on the appropriate procedures to prevent cyber attacks on our company. 3) Develop or purchase software that links daily information changes with a master file and notifies relevant officials when data has been changed or pulled from a daily period. 4) Areas requiring a password should be limited to three login attempts, exceeding this threshold should result in account suspension with notification to appropriate officials. 5) After five account suspensions, a notice with the inventory numbers/IP address should be sent to the relevant officials. Once the suggested controls are implemented, management should do the following to monitor these controls: 1) There should be continuous monitoring, both daily and periodically. Some information needs to be checked daily to ensure the controls are working as required. 2) There should also be event-based monitoring: “discrepancies, or even fraud, can occur as part of normal processing or in special circumstances, such as when there are high-value transactions. Malicious attacks are likely in many IT environments. Accordingly, specific controls should be in place to detect and report unusual activities to an entity within the organization specifically charged with investigating and determining whether preventive or corrective actions should be applied. Such monitoring controls are complementary to the normal controls used and provide assurance on the effectiveness of such controls or provide timely warning that they may have been breached.” 3) We must also practice continuous monitoring by implementing technology that monitors and evaluates particular controls on an ongoing basis. 4) We should conduct special reviews on a quarterly basis to evaluate controls – “The legislation.