With the onslaught of high profile breaches so far this year, encryption alone has proven it is no longer enough to protect sensitive information, especially against next level threats like ransomware. The recent Hard Rock Hotels & Casinos and Loews Hotels breaches highlight the important need for better data protection across all industries—especially those that utilize personally identifiable information (PII) data, such as hospitality and retail. Businesses today have become increasingly reliant on vendors to streamline internal operations, outsource tasks, manage employee productivity, and more.
In the case of Hard Rock Hotels, the attacker gained unauthorized access to a third-party reservation system to attain unencrypted credit card payment information, as well as some guest names, addresses and phone numbers. This breach serves as an example of the dangers third party companies can pose to enterprise data that is not properly protected, and opens up a larger discussion around traditional encryption.
Ermis Sfakiyanudis, president and CEO of Trivalent, sat down with Inside Counsel to discuss how companies can get ahead of data breaches. “The only way to get ahead of data breaches is to address them as a likely probability, rather than an impossibility. Only then will enterprises begin to embrace next generation protection that secures data at the file level, rendering it useless to unauthorized users—even in the event of a breach,” he said.
“Most of the recent breaches prove that breaches happen to organizations in virtually any industry—hospitality, retail, healthcare, etc. In this case, guests’ PII data, such as names, addresses and credit card information, was stolen in an unexpected hack,” Sfakiyanudis. “No matter what industry an organization is in, they have critical data that needs to be protected. The rising number of data breaches proves that traditional security methods are no longer enough to protect sensitive data from next generation threats.”
Today, industries that process, store and transmit consumer PII data have a responsibility to keep this information safe because a potential breach doesn’t just impact the organization—it puts consumer safety at risk. Every time a consumer swipes their card or makes a purchase, they are trusting that organization to keep their personal information safe from unauthorized users and hackers. Industries like retail and hospitality use PII data for guest purchases/accommodation bookings and reward programs, and they are often targeted by hackers for this information, but virtually every organization acquires, uses and stores PII.
“Companies are relying on the third party to properly secure sensitive information stored on any device or database managed by the third-party company,” explained Sfakiyanudis. “To ensure that third-party companies are not the weakest link, and only have access to the files they need when they need them, companies need to think beyond traditional security and encryption to keep their sensitive data protected at all times.”
This breach have proven that traditional encryption alone is not capable of protecting data. Hackers are always finding ways around encryption, and organizations must accept that their systems may require a security upgrade. Next generation threats, such as ransomware and malware, are on the rise and encryption alone cannot protect against these threats.
He said, “The only way to prevent these threats is through data-centric security protection as part of a defense in depth security architecture. Enterprises need to protect their data at the file level so it remains useless to anyone but authorized users—even in the event of a breach.”
So, how can companies get ahead of data breaches? According to Sfakiyanudis, organizations must think about data protection proactively, rather than reactively. Recognizing that their organization will be breached, company leaders must develop a defense-in-depth approach to protecting critical information, preparing them to handle any threats as they arise.
Sfakiyanudis shared some best practices for enterprises to get ahead of data breaches. Many organizations do have some type of incident response plan to follow in the event of an attack - these plans are only effective if they are fluid and constantly updating as organizational practices and staff change. Additionally, organizations should charge their security teams to be up-to-date on data protection technology and next level threats and empower them with the tools to ensure the organization is doing everything possible to protect its information.
“If company leaders make data protection a constant priority, that vigilant approach to information security will flow down through the rest of the organization,” he said. “If data security is something that is top of mind for everyone within an organization, companies are much better prepared to keep their data safe and act swiftly in the event of a breach.”