How retail and hospitality can protect themselves from increased cyber attacks

By admin
Every industry in the world is vulnerable to phishing and other cyber attacks, but retail and hospitality rank as some of the most high-value targets for hackers looking for personal identifiable information (PII) and payment card information (PCI). These

two
CARDINAL

industries are often ranked among the top

three
CARDINAL

most vulnerable industries, right behind financial institutions. That vulnerability became apparent

earlier this month
DATE

when the

MGM Grand
ORG

cyber attack shut down

hundreds
CARDINAL

of casino games and disabled hotel room cards. The company reportedly lost

between $4.2 million and $8.4 million
MONEY

in

daily
DATE

revenue during the attack.

Retail and hospitality (R&H) companies collect

PII
ORG

and PCI data through many customer interaction points – loyalty programs, reservation sites, stored purchase histories, or customer journey data. But the data itself may reside in places vulnerable to attack, like point-of-sale (POS) systems, call centers or shared workstations. In some cases these systems might be installed on legacy infrastructure, which often do not have updated security measures for authentication potentially leaving their customers’ security and personal data at high-risk for cyber attacks.

A robust phishing-resistant multi-factor authentication (

MFA
ORG

) solution is needed to protect this kind of data and securely access it. As industries that often work directly with consumers,

R&H
ORG

has the added challenge of making sure any

MFA
ORG

solution is user friendly and easy to understand. Consumers are often targets for stolen credentials scams through “social engineering” – a recent

Verizon Data Breach Investigation Report
ORG

found that

74%
PERCENT

of breaches are caused by stolen credentials. A

second
ORDINAL

factor-method for authentication – or better yet going completely passwordless – is crucial to avoid falling victim to another cyber attack.

Usernames
PERSON

and passwords, and other legacy

MFA
ORG

like

SMS
ORG

, mobile authentication apps and

one
CARDINAL

-time passcodes, will not offer enough security, nor do they enable good user experiences.


Hyatt Hotels
ORG

and YubiKeys

Recently,

Hyatt Hotels
ORG

reached a security crossroads – legacy authentication systems weren’t meeting their needs.

Art Chernobrov
PERSON

,

Hyatt
ORG

’s Director of

Identity, Access and Endpoints
ORG

had seen enough of the old authentication system. His massive hotel chain had

200,000
CARDINAL

employees moving

between 1,500
CARDINAL

locations (and working remotely), and he had already moved away from traditional usernames and passwords. Employees were using a

one
CARDINAL

-time password (OTP) sent over SMS that created an atmosphere of ‘

MFA
ORG

fatigue’ as there were numerous

MFA
ORG

prompts

daily
DATE

.

“I’ve seen the compromises in the industry, and other places, that come from fatigue, and

MFA
ORG

requests, that people just blindly accept. You don’t want to be that guy. You don’t want it to be on your watch.”

Art Chernobrov
PERSON

, Director of

Identity, Access and Endpoints
ORG

,

Hyatt
ORG

YubiKeys offered a solution that worked well with

Hyatt
ORG

’s existing

Microsoft
ORG

authentications like

Entra ID
PRODUCT

(formerly Azure ID) and SSO. With a hardware-bound, phishing-resistant security key,

MFA
ORG

fatigue was no longer an issue and the organization as a whole could embrace a passwordless future.

Hyatt Hotels
ORG

is leveraging YubiKeys and passwordless to reduce risks as well as to elevate guest experiences in their lobbies.

Covering the retail and hospitality cybersecurity bases

Deploying a new

MFA
ORG

solution should start with some due diligence and internal auditing. This is why it’s critical to follow proven guidance to ensure that you have all the information you need. In general, it’s good to start a rollout with your high-value users handling the most sensitive data. These employees are more motivated to follow directions and adopt a new system. Once

MFA
ORG

is road-tested with that group, expand use cases by rolling out to the rest of the workforce.

We recommend making a key applications inventory part of your internal audit. During that inventory, you might ask these questions for each application or authentication scenario.

Who needs access? What authentication approach will you take? How do you currently manage access:

IAM
CARDINAL

,

IdP
ORG

,

PAM
ORG

, SSO, or VPN? What is your workforce like: Remote, hybrid, on-premise, or multi-location What devices are they using: Owned,

BYOD
ORG

, desktop, laptop, smartphone, tablet, POS terminals, or inventory scanners?

Come say hello in

Dallas
GPE

at

the RH-ISAC Summit
FAC

The

2023
DATE

RH-ISAC Cyber Intelligence Summit is coming to

Dallas
GPE

,

Texas
GPE

on

October 2-4
DATE

. Retail and hospitality cyber security experts and executives will be there to discuss the latest technologies that will protect this sector in

2024
DATE

, and

Yubico
PRODUCT

will also be attending. We offer a discount code for those that want to register here.

All RH-ISAC Core Members are already granted free admission to the event, but the discount code will be applicable for any non-RH-ISAC member. Please come by and see us at table

16
CARDINAL

during the show!

——

Read our guide, “How to get started with phishing-resistant

MFA
ORG

to secure retail and hospitality” for more information on how YubiKeys can help your organization. Check out how

Hyatt
ORG

is leveraging YubiKeys in the case study here.