Last year broke all records for data loss in breaches and cyberattacks on individuals, governments, and companies, including ski areas. Driven by a wide range of motivations—from financial gain, to ideology, to espionage or even terrorism—individual hackers, activists, organized criminals, and governments are attacking networks with increasing severity.
A cyberattack can cost a ski area millions in lost revenue, credit card company fines, lost time, lost staff, destroyed equipment, and guest lawsuits. It can also be devastating to an organization’s reputation. So, it’s more important than ever to take steps to protect your business.
How Did We Get Here?
As technology has become more accessible to businesses worldwide, the amount of data that’s out there continues to grow exponentially, as does the rate at which organizations share it. Billions of machines—tablets, smartphones, ATM machines, security installations, chairlifts, snow guns—are all linked together, exponentially increasing interdependencies. Consider right now how much of your resort’s business relies on technology. The list is nearly endless.
In this digital reality, our identities are captured in data—credit reports, driver’s licenses, phone data, car GPS, social posts, etc. Ski areas have an obligation to handle personal data with care. To buy lift tickets, reserve rental equipment, or take a lesson, guests complete numerous financial transactions, disclosing private information with an expectation that the resort will protect it. Unfortunately, the more automated we get, the more vulnerable we become to cybercrime.
What is a Data Breach?
A breach is an incident where cybercriminals access, share, or steal confidential, sensitive, or protected data. Breaches occur when technology is not maintained and when businesses are undereducated about popular hacking methods.
As large organizations have improved their cybersecurity and more small businesses go online, hackers have shifted their attention from major companies such as Costco, Target, and Marriot (all of which have suffered breaches) to smaller targets. According to CNBC, in 2019, 43 percent of cyberattacks were aimed at small businesses, perhaps buoyed by the fact that only 14 percent of small businesses were prepared to defend themselves. Small businesses have historically had a difficult time recovering from a major security breach due to the lack of both IT and financial resources.
How do Breaches Occur?
The three most prevalent cyberattacks are phishing, brute force attacks, and malware.
Phishing is considered a social engineering attack. Through email, social media, or even phone calls, attackers deceive targets by posing as people or organizations that you trust. The hacker’s goal is to get an employee to give access to or provide sensitive data.
Brute force attacks use software to find passwords. Using sophisticated code breaking software, hackers may only need a few seconds to guess weak passwords.
Malware is software designed to interfere with a computer’s normal operation. “Malware” is a blanket term for viruses, trojans, and other destructive programs hackers use to infect systems and networks in order to gain access to sensitive information, send spam, or steal data. It can be identified by slow computer performance, browser redirects, infection warnings, problems shutting down or starting your computer, and frequent pop-up ads. The most malicious and profitable malware is ransomware, which installs malicious software onto a victim’s machine, encrypts their files, then turns around and demands a ransom (usually in Bitcoin) to return that data to the user.
Cost Breakdown: Before vs. After
Cybersecurity breaches and cybersecurity resources that make IT systems less breachable have something in common: They both cost money. The difference is that the price for security that prevents a breach can be calculated up front and accounted for in the IT budget, while the exact cost of recovering from a cybersecurity breach cannot.
Recent government reports estimate the cost of these breaches ranges from $30,000 to $4 million. That’s a wide range, and when you consider the many costs that could be contingent to whichever type of breach figures to be the costliest for your organization—from fixing the IT problem that led to the breach, to loss of business, to reputation damage—estimating the price of recovery at the highest conceivable cost may be the only way to feel assured that you have budgeted to afford the breach.
There are a variety of financial factors to consider when it comes to pricing out recovery costs:
1. Incident response company. The first step after a breach is to work with specialists to help manage the emergency, provide forensics on the breach, and get you back up and running. These services range anywhere from $30,000 to $150,000 per incident.
2. Ransom to regain access to and/or retrieve lost data. The FBI suggests that victims should never pay ransom. At the very least, never negotiate or pay a ransom yourself; always involve the experts. Still, most businesses pay an average ransom of $178,000, with fear that the breached data might still be leaked on public platforms.
3. Equipment recovery, replacement. Some hacks not only hold data hostage but also destroy devices. Recovery might necessitate building temporary infrastructure, rebuilding current programs, increasing resources to replace system shutdowns, or having to unplug and isolate computers. Depending on the size of your network, this can run tens of thousands of dollars.
4. Attorneys and legal services. You will need a team to help navigate privacy laws and possible lawsuits. Legal fees can add up quickly, but an average retainer is about $25,000.
5. Lost revenue due to downtime. How long can your organization survive without being able to operate or even communicate your situation to employees and guests? The average downtime a company experiences after a ransomware attack is 21 days, according to Coveware, which studies ransomware case data. Downtime is the costliest aspect of a ransomware attack. Recovering from a ransomware attack is 10 times the cost of the ransom payment, according to Sophos research.
6. Increased insurance premiums from your cyber insurance policy—if you have one. After a breach, the cost of a cyber insurance policy increases. According to data security solutions provider SecurityMetrics, a cyber insurance policy can cost from $650 to $120,000 a year.
7. Customer loss. According to a survey by PCI Pal, 83 percent of U.S. consumers claim they will stop spending at a business for several months immediately after a security breach; 21 percent will never return. Consumers also reported that they trust the retail and travel industries least, and that they are only comfortable sharing credit card information over the phone to companies that have earned their explicit trust.
8. Increased borrowing fees and interest rates. Following a cybersecurity incident, victims often see a spike in borrowing or reborrowing fees due to a drop in their credit score rating. Although you might feel the attack was out of your control, lenders might not see it that way.
Though there is no silver bullet for cybersecurity, there is silver buckshot in the form of security systems and staff training programs. The best way to protect yourself and your resort is to avoid being a victim in the first place. No security plan is perfect, but there are ways you can defend yourself.
Don’t wait to update software. When software vendors release updates, apply them as soon as possible. These updates contain patches that resolve the latest known exploits and vulnerabilities.
The “Wannacry” ransomware attack in May 2017, which targeted an exploit in the Windows operating system, is a good cautionary tale about not updating software. Though the attack occurred in May, the vulnerability that Wannacry exploited had been fixed by Microsoft in March 2017, two months prior to the worldwide outbreak. Many of the affected users simply had not patched their operating system in time, resulting in widespread disruption at significant cost to the victims.
Enforce strong passwords and multi-factor authentication. We all know that a strong password includes a combination of random letters, numbers, and symbols. But that’s hard to remember when you have 10 different passwords to keep track of. So, what do we do? Either use the same password for everything or use a weak password that we can easily remember.
According to the website haveibeenpwned.com, easily guessed passwords like 123456 are still widely used. That password, 123456, has been seen in data breaches more than 24 million times. To make matters worse, a 2019 Google study shows that 64 percent of people admit to reusing passwords across multiple sites. This is a problem, because even if someone has a complex password, a data breach at Facebook or Adobe could lead to the user’s account getting breached on your company’s site through a process known as credential stuffing.
Multi-factor authentication (MFA) and two-factor authentication (2FA) are tools that can help mitigate cybersecurity risks. The goal of MFA is to provide a multi-layered defense system, which helps ensure that the users who access your system are who they say they are. Even if one factor is compromised, there are still more barriers to breach. cont. » 2FA adds an extra layer of security to your user’s account login by requiring two types of authentication.
Back-up critical data. Backup software offers protection for business data by copying data from servers, databases, desktops, laptops, and other devices in case of user error, corrupt files, or an emergency that renders critical data inaccessible. It can also protect sensitive business data in the event of a hardware malfunction, hacker penetration, and other threats posed to digitally stored information. It is essential to have a system backup strategy—preferably daily or weekly—that creates a backup copy you could use in case of a major incident. It’s also important to be aware that data can become corrupted at any given moment in the backup process, so testing your backups on a regular basis is important.
Educate employees. It’s imperative to educate employees about best security practices and ways to avoid socially engineered attacks, as they will be the first line of defense in combating the cybersecurity threat. If employees are not privy to what the threats are, how to notice them, and what to do about them, they become a risk rather than a source of prevention.
Consider the top five reasons human error leads to a hack:
1. Increased use of social media by staff.
2. Failure of staff to understand new threats.
3. General negligence/carelessness with websites and applications.
4. Lack of security expertise with websites and applications.
5. Failure of staff to follow security procedures and policies.
Cybersecurity is for everyone, not just the IT department. All the time and capital you’ve invested in a robust security plan means nothing if human error is not addressed. Protect your company, your employees, and your security investment by making sure everyone in your organization is executing cybersecurity best practices.
Ski resorts are relying more on technology each year. Developing a strategic, customized, and comprehensive cybersecurity program, driven from the top, will help your organization be more prepared if—and when—you are targeted with a cyberattack.