Caleb Hurd, hacker and senior developer for children's website Elf on the Shelf, is blunt about today's security climate. According to Hurd, roughly $400 billion has been lost from companies and individuals due to hacking as of 2015. Since the business of online theft can be conducted from anywhere in the world, has little downside (aside from obvious legal issues) and can be easily concealed, hackers are growing increasingly bold and are profiting from more users than ever before.
However, this doesn't have to be the case. At this year’s Hospitality Industry Technology Exposition & Conference, held in New Orleans, Hurd dug into the details of hacking, why hotels should care and what they can do to put up a fight. Here are eight takeaways.
1. You don't have to be impenetrable
At first glance, it might seem that in order to keep digital thieves out of their data, hotels have to build a wall Donald Trump would be proud of. This could not be more wrong, according to Hurd, who said hotels can set their sights much lower.
"You only need to be more annoying than another, easier target," Hurd said. "If you put up any kind of fight, more often than not they will cave."
2. Programming skill is not a factor for hacking success
According to Hurd, more than 70 percent of successful hacks are a result of human error. These errors are the result of users going to vulnerable websites or not patching their machines, leaving the door wide open for outsiders to take control of their machines and steal their data.
More important than skill, Hurd said, is determination. Many of the most effective hacking methods exist in template programs that hackers use to chip away at a website's defenses, and if these tools don't do the trick on the first or second attempt, they are likely to move on.
3. The friendlier the person, the more susceptible to hacking
The most frequent target for hackers at a business, according to Hurd, is the head of human resources. By impersonating a job applicant experiencing difficulty submitting a resume, hackers can sometimes convince HR representatives to open files they wouldn't normally open simply though a phone conversation. This problem rings particularly true for hospitality, where people are often hired based on their communication skills and willingness to be helpful and find solutions, making anyone from front-desk staff to GMs equally susceptible to such tactics.
"Hackers are the friendliest LinkedIn Open Networkers," Hurd said. "They like LIONs because they can build massive networks of connections to investigate people. They often don't lie, and investigate people to find the right personality to target—those being the people that are helpful."
4. Practice a physical entry test
Sometimes hackers will appear on-site in a company, impersonating an employee or delivery person to gain physical access to a location and steal information. Large companies are the most vulnerable in these situations, and Hurd recommends practicing for such events.
"Have a friend try to walk into your company and see how far he gets and how long he can be there," Hurd said. "You have to do this one carefully, but it could be an eye-opener."
5. Remember you are an extension of your partnerships
Last year, Target lost 40 million credit card accounts due to a hack, but it wasn't Target that was hacked. Instead, a new third-party HVAC provider the company had begun to work with was the victim of an email phishing scam that provided information to hackers that allowed them access to Target's server, allowing them to set in place a script that copied every credit card transaction with the company for months without anyone knowing it was happening. It was that easy, and yet that complicated.
6. Hire an outside firm to conduct audits
Training employees both in and outside of the IT department is crucial for security. These outside sources will think like hackers, which will improve your security in the long run. Do you have a server that can't go down no matter what? Are your internal auditors not allowed to call your CEO during a security test? These are things a hacker would do.
Hurd used the example of a hacker that learned the IT department of an unspecified bank was a small staff. The hacker then took the bank's main site down with a distributed denial of service attack (which halts a site's processes by overloading it with too many requests) and while their attention was focused on bringing the main site online, he sprang into action, collection the bank's accounting information.
7. Check yourself on Google
Many hackers aren't running complicated programs; they are simply experts at using search engines. In fact, effective use of search engines is what outed Hillary Clinton's private email server, and that may be the greatest indication that Google deserves some extra attention.
Through effective Google searches, Hurd himself has found PDFs and Excel spreadsheets with financial information not released to the public, but was catalogued by Google without businesses or individuals being aware. Not only that, effective use of search engines can uncover login pages and server errors, which can help hackers canvas a site.
8. Don't pay ransomware attackers
This one was not contested by Hurd in the slightest. "Just don't pay them. It encourages them for the future," he said.
Going deeper, a member of the audience claimed to have been the victim of a ransomware attack and later learned it was perpetrated by one of the company's own IT employees. This prompted Hurd to suggest a separation of duties inside a company; despite IT being physically locked out of the accounting department, those employees are still within reach of the company's networks and files.
"We have a double standard on controls," Hurd said. "We lock everything down that we can touch and feel, but when it's digital the doors are left wide open."
Hurd also said not to despair, and to weigh the pros and cons of the digital world alongside the necessity of doing business.
"You take a risk every time you get into a car," Hurd said. "When you decide to take a risk, just be conscious of it. People are so uneducated on hacking today it’s like they are getting into cars and don't know they could end up in a wreck."