The Impact on Your Business Operations

Recreational facilities rely on digital technology to power their organizations. Unfortunately, most digital technologies have design flaws or vulnerabilities that can be exploited by bad actors. On top of this, multiple system users may or may not know how to operate these technologies properly, creating additional challenges to keeping your systems, software, and data safe and secure.

Any vulnerable system can be exploited, leading to a significant impact on your operations. As an example, one of the more common and crippling attacks is the ransomware attack.

A ransomware attack occurs when a threat actor (the person or organization responsible for the malicious activity) gains unauthorized access to your organization’s network and systems. The threat actor deploys malware (malicious software) that can lock, via encryption, specific systems or services, denying you or anyone else access.

Imagine if the malware affected the centralized program registration system on the day of a programming event at your facility and employees cannot access the system to verify registrations. This would cause a significant disruption to your facility’s operations. The threat actor usually demands a ransom (hence the name ransomware attack) in exchange for the “key” to decrypt or unlock your systems or services.

What would be the impact if your organization does not have adequate systems, software, or data backed up or an alternate means to verify the registrations? Not only would the program be disrupted, but if you could not continue with the program, you would lose money as facility customers would demand refunds.

To make matters worse, in the same attack, the threat actor may also exfiltrate data from your organization. They will target personally identifiable information of your customers or employees. This includes home addresses, email accounts, financial information, credit card numbers, and other sensitive data. The threat actor will threaten to release the data if the ransom demands are unmet. If personal information is lost, legal repercussions will follow swiftly, with potential lawsuits and fines. Moreover, the news of such a breach can spread rapidly, demolishing the facility’s image and shaking public trust.

Impact on Life and Safety

Recreation facilities today rely heavily on digital systems for a wide range of operations. For example, digital systems are increasingly integral to managing automated access control; automated fire suppression; heating, ventilation, and air conditioning (HVAC); remote operation and sensing for ice making and maintenance; in-house communication networks; and membership services. Digital platforms streamline operations and improve customer experience. However, this dependency opens up new avenues for cyber threats.

Digitally controlled facility access control systems may be attacked. The threat actor could gain access, disable security measures, and unlock doors to various parts of the facility. Or, worse yet, what if you have a packed house and the exits are locked? The risk is not just financial but extends to personal safety. Patrons and staff could find themselves in dangerous situations, highlighting the urgent need for cybersecurity measures.

Behind the scenes, maintenance and facility operations often depend on interconnected systems, software, and data. Facility managers, supervisors, and technicians can leverage digital technologies to manage Internet of Things (IoT) devices. Smart devices can connect to, manage, and monitor systems performance in real time. A cyber attack disrupting these systems can cause significant damage or even jeopardize the safety of employees and the public. Imagine a heating system failure in the winter, an intentionally disrupted ice refrigeration system, or a malfunctioning pool filtration system.

At best, the facility would face closure and incur financial losses. At worst, there could be a risk to the safety of your staff and patrons that may have a lasting impact on the community and call for remediation and accountability.

Protect Your Facility

There are literally hundreds of potential actions that you and your organization can take to become more cybersecure. Some of you may already have a mature cybersecurity strategy in place. For those who don’t, there are five key actions you should take to better define your current posture and help you address your cyber risks.

1. Understand your cyber risks

Cyber risks are expressed in terms of likelihood and impact of loss or harm related to compromising an organization’s digital information or information systems, including information technology (IT), operational technology (OT), and those devices and systems connected via the IoT. Simply put, cyber risk is a business risk.

To properly address cyber risks, you need first to understand how your organization is at risk. A risk assessment will help you determine where the risks are and what controls you can consider implementing. It will give you a better understanding of your overall cyber risk. Even a simple “What could go wrong?” exercise is a great first step in helping you to identify and understand cyber risks and what you can do about them.

2. Establish and maintain an asset inventory

As the saying goes, you can’t protect what you don’t know you have. Start an inventory of all your assets — systems, devices, software, and data — that are connected to a network or depend on internet connectivity to function. This will enhance your understanding of what could be at risk and help support more effective management of these assets as you’ll have a good understanding of the digital systems, software, and data you have including their status, versions, and potential vulnerabilities. It will also enable you to track and ensure the latest system, device, and software patches are applied to keep the asset safe and up to date.

3. Ensure that you have appropriate training

Everyone in your organization who uses digital technologies should understand how to use that technology effectively. However, knowing what to do if things go wrong may be even more important.

Your staff are often the first line of defense against a cyber attack. So, providing them with the necessary training to equip them with cybersecurity knowledge, such as appropriately safeguarding sensitive systems and data, identifying any anomalous system or software behavior, and knowing who to call when something appears wrong. They can quickly bring to light any issues, potentially reducing the impact on your facility, other staff, and the public.

4. Create a Cybersecurity Incident Response Plan and include cybersecurity considerations in your Business Continuity Plan

Time for another adage: “If you fail to plan, you plan to fail.” Having already discussed the need to understand the risks to critical assets, there is a very real possibility of you suffering some form of cyber event that has an impact on those assets — whether it is from a deliberate attack (e.g. ransomware attack or vulnerability exploitation), an accidental occurrence (e.g. misconfiguration or database deletion) or a natural event (e.g. earthquake or flood). Do you know what you or other staff would do? How can you minimize the impact of such an event? A Cyber Incident Response Plan (IRP) outlines how you would respond and who would be involved. At the same time, you should review your Business Continuity Plan (BCP) to verify the IRP and the BCP are aligned. This will help ensure your organization is better prepared for a significant cyber event.

5. Conduct a cybersecurity exercise

It’s all fine to have training and plans in place, but how do you know they work? Cybersecurity tabletop exercises are a relatively low-cost yet quick and effective way to assess your organization’s ability to manage a cyber incident. Versatile by nature, these exercises can help you evaluate your IRP, train your team, educate other stakeholders, assess response activities, or identify plan improvements. The primary point is to find a means to assess your plans so that you are confident they work when facing a cyber event.

Conclusion

While digital technologies are introducing new ways of supporting facilities management and helping us be more effective and efficient, there are some risks. As we discussed in this article, there are cyber risks that can have an impact on your business operations as well as on your life and the safety of you, your staff, and the public. If you already have a plan to tackle these risks, great. If not, a few low-cost but important actions have been presented that any organization can implement to dramatically improve its cybersecurity posture and mitigate the ever-present cyber risks.

Rogers Cybersecure Catalyst is Toronto Metropolitan University’s national centre for training, innovation and collaboration in cybersecurity. Headquartered in Brampton, ON, and offering programs and services across Canada, the Catalyst empowers individuals and organizations to seize the opportunities and tackle the challenges of cybersecurity. Together with our partners and collaborators, we work to realize a vision of healthy democracies and thriving societies, powered by secure digital technologies.