Phishing and ransomware attacks proliferated during the pandemic. Wynn Salisch, principal of Casablanca Payments, a payment-processing and cybersecurity firm specializing in the hospitality and entertainment industries, tells Boxoffice Pro how to prevent cybersecurity headaches before it’s too late.
What is the biggest mistake cinemas make when it comes to credit card security and payment protection?
The biggest mistake that cinemas make, as with almost all businesses, is thinking that they’re too small to be targeted. It’s not about the size of a company, it’s about the opportunity. Two-thirds of all data breaches occur in the small- and medium-size business world, not the large ones. When a breach is traced back to those companies, the fines and penalties come down on them like an avalanche—putting about two-thirds of them out of business within six months. That applies to all small- and medium-size businesses. Fines can come from state and local governments, card brands, or issuing financial institutions. Then there are the legal costs, technical costs, public relations costs, reputation costs, and remediation costs. This is something every business owner needs to be thinking about; it’s a very dangerous game to assume it can’t affect you.
What common vulnerabilities should cinemas know about? And what steps can they take to prevent malicious actions?
The two most serious and most frequent causes of compromises are bad passwords and phishing attacks. The best way you can protect your company and your clients is by creating good passwords. The current guidance from the FBI is that a password should be at least eight characters long. The better passwords today are just three or four unrelated words, squeezed together, eliminating a space, which creates a new word that’s not searchable in any dictionary. For example, if I take the word “troubadour” and corrupt it with numbers and symbols, at 1,000 guesses a second, it will take about three days to crack. If I take four unrelated words and squeeze them together at that same guess rate, it’ll take something like 300 years to crack. You should never use a password twice, “Pussycat1” and “Pussycat2” are not different passwords. If your website has any sensitive information at all, make sure it has a unique password that is long and complex. You can store these passwords in a password manager app. They sync between your laptop, your desktop, and your phone. They’re encrypted to Defense Department standards, so they’re very safe. That is the best way to store passwords.
As it relates to phishing, never open an email that you’re not expecting—and always avoid clicking on links or attachments. The more urgent an email sounds, the more likely it’s a fraudulent email. If you get an email that looks like it’s from your bank, it may look real and it may sound urgent—you’re better off following up with the bank separately than clicking on any of the links or attachments on that email. Another easy preventative step to take is to freeze your credit records, not lock them, but freeze them, because that prevents anybody from pulling your credit record without the owner’s permission.
What should you do once you’ve discovered you’re a victim of one of these crimes?
If you find out that you have been breached, disconnect your computers from the internet immediately. You don’t need to turn them off; just make sure they’re offline. Then you have to get a Payment Card Industry (PCI) forensic investigator to come in and do an investigation into how the whole thing happened and identify the vulnerabilities. That’s the easiest way to figure out how to plug the gaps in your security system.
If you have been attacked by ransomware, that’s a different story entirely. Hopefully, you’ve been backing up your systems to a cloud-based solution or a separate hard drive, where it’s maintaining versions of your backups. Having a recent backup means you can delete your hard drive entirely. I mean totally. You can always go to your backup systems and see the latest version that wasn’t corrupted. You’ll lose some of your more recent stuff, but at least you’ll have most of your data backed up. Ransomware can be installed in three seconds if you click on the wrong email or the wrong attachment. Any email that looks suspicious is probably suspicious. Easy red flags to spot are grammar, syntax, spelling, or punctuation errors—but the biggest red flag is going to be a sense of urgency. These sorts of emails often try to scare you into clicking embedded links or downloading a corrupt attachment.
There are many examples of high-profile digital attacks, but perhaps the most prominent in our industry was the one suffered by Sony Pictures Entertainment ahead of the release of The Interview. Do you believe the entertainment industry has used that wake-up call to effectively protect itself from future threats?
My concern is that something like that has receded into people’s memory. I don’t see many articles written about it. I don’t see much concern about it on the web. I don’t hear people talking about it. There’s always that mindset, “Oh, it can’t happen to us.” This can happen to anyone. Big companies can afford to have stand-alone IT departments monitoring these problems, but it’s something you need to be constantly vigilant about. There is no such thing as a company that is too small for one of these attacks. It can be so overwhelming to think about that it’s tempting to throw your hands up in the air and deal with it later. The issue with that is that once you realize there’s a problem, it’s like shutting the barn door after the horse got out. That’s why the Payment Card Industry Data Security Standard (PCI) was established [in 2006], to get business owners to pay attention and attempt to protect cardholder data.
Can you spot a phishing attack?
Sometimes you can spot a phishing attack and avoid trouble just by deleting the messages. Some of the signs might include the following:
- Suspicious-looking source email address
- Generic greetings like “Dear customer”—instead of the customized greeting most organizations offer
- Spoofed hyperlinks—when you hover your mouse over the link, the destination displayed in the preview is completely different from the destination indicated in the message
- Poor spelling, grammar, punctuation, or syntax
- Suspicious or unusual attachments—treat all attachments and links with caution
How to avoid being tricked by phishing
- Always be suspicious of any message that requests you to click a link or open an attachment.
- Be cautious of any message communicating a sense of urgency or dire consequences should you fail to take immediate action.
- If you are concerned about a message, contact the person or the organization using a different, validated method like a phone number you already had, or check the “Contact Us” information on their website. Never use the links or contact information in the message you are concerned about.
- Be careful not to provide personal or sensitive information in response to a message.
Password Dos & Don’ts
- Don’t use the same password, or variations of the same password, twice.
- Don’t use personal information (name, birth date), keyboard patterns (“qwerty”), sequential numbers (1234), or repeating characters (aaa).
- Don’t make your password all numbers, uppercase letters, or lowercase letters.
- Don’t share your password with anyone or send your password by email.
- Do use long word strings without spaces or randomly generated gibberish passwords.
- Do make your passwords at least 8 characters long,
- For increased security, do mix upper- and lowercase letters, numbers, and symbols depending on the website’s rules.
- Do store passwords securely in a password manager app on your smartphone or computer.
- Do change passwords, at least annually.
- At the very minimum, do use a
- Basic password for websites that don’t store any of your personal information.
- Secure password for retailer websites where you enter your credit card information.
- Very Secure password for financial, medical, and other websites containing your most sensitive information.