From movie theaters to amusement parks to myriad types of other entertainment venues, the entertainment industry has been justifiably focused on physical attacks and terrorist threats. However, another insidious form of attack exists, one that can drain assets, create a public relations nightmare and make patrons feel uncertain and insecure when going to an amusement park or entertainment center. The source of all this trouble? Hackers with a ticket to the show.
Cyber thieves can take advantage of the fact that amusement parks and entertainment centers not only have multiple point of sale (POS) terminals, but also, depending on the industry and the group, these various payment systems can be managed in multiple ways:
- Some can be managed by the amusement park or entertainment center itself, such as ticket sales, ticket windows or online websites that allow online purchases.
- Others might belong to vendors, such as POS systems for stores, coffee shops and hotels that are part of the entertainment complex.
- Still others are direct POS systems in stores and food and beverage areas in the amusement parks or entertainment centers.
These multiple systems can leave gaps in oversight if not properly managed. It’s tempting for senior management to either rely on their own internal IT resources, or to rely on an external POS vendor in order to assess and review this risk. Just as a prudent company audits their books, a prudent executive must exercise meaningful oversight over these resources and vendors.
High-value targets require high-level oversight
Entertainment venues need to view their POS systems as one of the highest targets for intruders, thieves or those who would seek to disrupt the venue. For example, an entertainment center that was forced to rely on cash for any period of time, however short, would see a significant drop in revenue.
A multitude of issues and nexus points affect POS system security. These issues range from who has control and who is responsible for security when dealing with outside vendors, to the fragility and constant need for these systems to be operational. There is also a temptation for senior management to view POS systems as things “we will fix as we go.”
Unfortunately, you can be sure that hackers are all too aware of these issues in the entertainment industry and are actively looking for any gap or vulnerability they can turn to their advantage.
Senior management can go a long way toward neutralizing this threat, however, by taking an active role in reviewing and assessing POS system security.
Seven questions senior management should ask about pos system security.
Depending on the type of POS system and the relationship between the company and the POS system whether it is (a) provided by a vendor, (b) run by a vendor but using the organization’s IT, or (c) one run by the park or center itself there are different series of questions that need to be asked by senior management within the entertainment park/complex industry. The following seven questions, however, will provide fundamental information that senior management can use to better protect their organizations:
1. What steps are we taking in order to protect the networks and endpoints on which our POS systems rely?
2. What have we done to validate that these steps work?
- When was our last audit by a third party?
3. Have we reviewed the protections and plans implemented by others who have connections to our networks that can access our POS systems?
- Have we seen and reviewed their audit reports?
4. Are our POS systems running on vulnerable platforms, (e.g., are we using a Windows XP machine to run a POS)?
- What do we have in place to monitor access to these vulnerable platforms?
- How quickly can we be alerted to unauthorized access?
- Do we use endpoint threat monitoring across our network?
5. What organizations and information sources are the people who are responsible for our POS systems connecting to or working with?
- Are they connected with law enforcement?
- Are they receiving the latest updates regarding threats?
- Do they have an active process in place to ensure that they’re getting the latest information about the threats that face POS systems?
6. Do we have a plan as well as the staff in place should we have an issue with our POS system and how quickly can we react to a problem?
- Who is our incident responder in the event of an issue?
7. In addition to the security of the POS system, have we looked at the different ways that an attacker or insider could gain access to these systems and steal, manipulate or disrupt data?
- Have we done a security risk assessment of our network vulnerabilities?
These questions are designed to help senior management within amusement parks and entertainment centers ensure that they are taking the right steps to review and validate their POS systems. They are also questions that the board should be asking, and that outside regulators could potentially be asking should issues arise.
Owning the responsibility for pos system security
Ultimately, when an incident occurs, senior management will be held accountable for POS system security. If you are a senior executive at an amusement park or entertainment center, have you actually read the report from the most recent PCI audit done? Or was that “someone else’s job”?
If your payment card system is supplied by a vendor, have you asked for and read their most recent PCI investigation report? Or was that, too, “someone else’s job”?
Given the current state of the threat landscape and the constant attacks on POS systems, for executives who fail to understand these issues their job will also become someone else’s job.