Olivia Hoblit – Mentoring the Next Generation of Hospitality Leaders – Women’s History Month

Posted on

Olivia Hoblit, Regional Manager of Innisfree Hotels and FRLA Board of Directors Chair

 

 

Mentoring the Next Generation of Hospitality Leaders

FRLA Board of Director Chair Olivia Hoblit always knew she wanted to be a leader. Coming to the U.S. with her family from the Philippines at the age of 15, she was in a new place but had the drive to overcome any challenges to succeed. She began her career in hospitality in food service at the age of 17, and it was at that restaurant where her life changed. She met a regular customer – actually in the legal profession – who began to mentor her and brought her under her wing in the legal field.

As Olivia worked her way up to paralegal and set her sights on law school, something happened that changed her path entirely. She started working part-time at a luxury beachfront boutique hotel – Elizabeth Pointe Lodge – and fell in love with hospitality and began to focus full time her passion for this industry. The hotel owners invested in her and guided her on this new path, and she attributes these important mentors for her love of teaching others.

Her hotel experience beyond the Lodge includes GM of the Seaside Amelia Inn – owned by Innisfree hotels, The Ritz-Carlton Amelia Island, and now Regional Manager of Innisfree Hotels. She has been honored with awards for her performance and achievements and was selected as one of the Top Women in Lodging by FRLA.

Like women across business, Olivia feels that she sometimes has to work harder in this industry as a woman, but she credits the people who have mentored her and shown her the way as providers of hope and positivity to know that her dedication and hard work pays off.

She says that women positively impact Florida’s hospitality industry because they do their job from the heart and take care of the people around them. Being empathetic and caring are important qualities for great female leaders. “Caring for people, helping them to be successful, and investing in others is so important to me,” she says. Helping find talent and helping them propel to the next part of their career is something she is laser focused on as FRLA Board Chair.

When asked what piece of advice she has for women coming up in hospitality, she said, “Find someone to mentor you – someone you could learn from. It will be the best thing you ever did. And then do the same for others. Giving people the opportunity to grow and a perspective of hope is important alongside hard work and drive. Always work to make things better.”

Closing Question: What does Women’s History Month mean to you?

“Women’s History Month is an opportunity to recognize women’s strength and accomplishments – our many contributions to history, society, and culture. We owe so much to those who came before us; we owe it to them to pay it forward.”

How to grow your Instagram followers for your small business

Posted on

Thursday, October 21, 2021

As a small business owner, you know how powerful word of mouth is for attracting new customers. You also likely know how important it is to use social media platforms to help you spread the word–digitally. But did you know that brand engagement rates are highest on Instagram, beating both Facebook and Twitter? According to Instagram, 90% of its users follow at least one business.

How can you grow your Instagram followers and potential customer base — and keep your target audience coming back for more? In this article, you’ll learn why Instagram engagement matters, how to use the different features of the platform and tips and tricks for maximizing your reach and impact. We can help you set goals, set your Instagram account up for success and help you make the most out of your Instagram posts. Let’s dive in.

Set social media marketing strategy goals

Setting social media marketing strategy goals for your Instagram page can help you monitor the time, effort, and potential money you’re investing in marketing on platforms like Instagram.

Having clear Instagram engagement goals can help you plan and create content as well as monitor improvement. Marketing strategy goals can also help your team create quality content that aligns with what you aim to accomplish.

Set up a profile using Instagram for Business
Once you’ve set your goals, it’s time to start making your Instagram profile work for you. If your account is not set up as a business profile, consider switching to an Instagram for Business account. Using an Instagram for Business account provides benefits such as:

  • Instagram analytics and tools that show how well your content is performing so you can track your goals more easily and understand your audience demographics and more.
  • Features to expand your profile and sell products, including the ability to create and publish Instagram ads without having to use advertising tools through Facebook.

Creating a unique and on-brand Instagram page, in addition to high-quality content, can help you hook new followers by showing them why your business is worth following.

Create an Instagram bio that tells your story
While not directly tied to follower growth, your Instagram bio is your first opportunity to connect with potential followers and get them to click the follow button. The bio is a place to showcase your brand’s personality, tell visitors about your products or services and what makes it unique. An Instagram bio should include your company’s category/industry, your location(s), contact info and a link to your website. You also can include associated social media account handles.

There’s limited real estate to tell your brand’s story. With only 150 characters available, you need to keep it brief. You can use formatting to organize info in your Instagram bio, such as line breaks to create vertical spacing. If it makes sense for your brand’s voice, consider using emojis to show off your brand’s personality and potentially save character space. You could also use a call to action (CTA) in your bio to set up your profile’s link.

A profile photo can help potential followers instantly recognize that it’s your company. Most businesses use a logo, logomark (the logo without any words) or mascot as a profile photo. You could also use a photo of your sign or storefront–even an image of your signature products. Don’t feel like you have to limit your creativity, but make sure the image can easily identify your brand.

Use one clickable link to get followers to explore pages, content
Instagram offers one clickable link field in the bio for accounts with less than 10,000 followers. Your clickable link is prime real estate to send a potential customer where you’d like them to go. You can use the link to send people to your main website homepage or frequently change out the link to reflect an event you’re promoting or other current content you may produce.

Additionally, tools are available to create a “link in bio” link tree/landing page to offer multiple clickable links for Instagram posts, product pages and other links without leaving the Instagram app. This approach is best for businesses that have numerous offerings and want to drive customer traffic to multiple links or different types of content. No matter which strategy you use, you should use your clickable link to send Instagram users to visit other relevant content.

 

Create a visual identity and brand voice true to your business
Instagram is all about visuals, no matter the format. Maintaining a consistent visual identity that represents your brand can give your content a cohesive feel. This identity can include your brand colors, tones, and much more. Editing style, filters, and photo composition can all affect your visual identity.

A consistent and unique visual identity can help new followers get to know your brand by just seeing it. If you stay consistent, your Instagram audience will begin to associate the style with your brand unconsciously. No matter what content format you use on Instagram, your content should look like you and tell your brand’s story while adding value to your audience.

Your Instagram captions and text are just as crucial for brand storytelling and helping users find you.

You don’t want to focus solely on visuals, though. Having a brand voice for Instagram can allow you to experiment with all of the Instagram content formats and still consistently sound like your brand voice.

Does your brand use emojis? Will you make memes or repost memes? Does your brand voice use humor? As with visual identity, your brand voice can help your Instagram audience know it’s your business.

Use Instagram content formats to your advantage
Instagram began as an app to share photos. It is now a social media platform that continually releases new features and content formats for users to engage. The platform offers a variety of ways your business could interact with an engaged audience, including:

  • Instagram Carousels: This feature allows for publishing up to 10 photos in a single post.
  • Instagram Reels: This format, reminiscent of TikTok, hosts 15- to 30-second videos that can include audio, visual effects or other creative tools. Reels can be shared in your Instagram feed and discovered on the Instagram Reels tab on the platform.
  • IGTV: Instagram TV, or IGTV, is for videos longer than 30 seconds. IGTV would be used best for a recurring video series.
  • Instagram Stories: Stories are photos or videos that are full-screen, vertical and disappear after 24 hours. They appear at the very top of the app rather than in the news feed. The Stories feature is a good tool for visual storytelling, where you can produce things with a beginning, middle and end. Instagram Stories also can include fun, interactive elements such as stickers, polls and filters, which can increase engagement and get your audience in the habit of viewing your Stories consistently.
  • Instagram Live: Instagram users can live stream video through Instagram Stories in this format. This format allows brands and content creators to connect directly with their followers and target audience through Q and A sessions, demonstrations and so much more.
  • Instagram Guides: This content type is a cross between Instagram Carousels and blog posts. Each guide includes a cover image, title, introduction and optional descriptions for entries that users can build from previously posted content, places, or product listings from your account.

 

Post and interact with your audience consistently
Building an Instagram following requires posting regularly and interacting with your audience. That said, business owners need to sleep and take vacations. Consider using a tool that lets you schedule and publish Instagram posts, especially if you’re a team of one. There are a variety of tools available at different price points, such as Hootsuite, Sprout Social, Salesforce’s Social Studio and many more that can provide the functionality that meets your goals.

Instagram users expect a steady stream of interesting, engaging or educational content from the users and brands they follow. Having a consistent posting schedule shows your audience that you’re a serious brand worth following.

Responding to comments, mentions and direct messages (DMs) is also crucial for users to feel confident following your business. Your followers are real people with opinions, issues or questions, and responding and engaging shows respect. Additionally, make time to respond when someone mentions or tags your brand in their post –– they’re helping to spread the word about you! It’s easy for users to hit the unfollow button if they feel ignored; don’t let it come to that.

Additionally, you may want to consider developing social media guidelines to help the person managing the Instagram (if it’s not you) to help them navigate interactions with your Instagram followers.

Use hashtags to feed the Instagram algorithm
Hashtags help Instagram users find the content they want to see. Instagram hashtags are keywords or phrases with a hashtag symbol before them, such as “#photography.” Instagram captions are not searchable, but hashtags are. Clicking on a hashtag or searching for a specific hashtag will show users all content associated with that tag.

Hashtags can help improve the chances of potential followers finding and engaging with your content. Posts that contain a hashtag get more engagement than those without hashtags. Consider hashtags related to your business that are easy to use, catchy and popular for your posts. You can create a branded hashtag for followers to use when posting about your business.

Using broad hashtags related to your business increases the chance people see your posts from all corners of the world. You may also want to use branded hashtags that are unique to your business to capture more local/relevant attention. If a hashtag is irrelevant to your post, it will not make sense to potential followers or aid your goals.

Help users find you with geotags
Geotags, or Instagram location tags, use a precise location that users can add to a post or Story. The tags can be identified by the GPS in a mobile device and can be geographical (like a city) or a particular business (think like a restaurant). Businesses can create a geotag for their business and start reaping the benefits of using it on posts.

Using geotags helps Instagram compile posts tagged at the location. A geotag can be added at the time of posting or retroactively. Instagram categorizes posts as “top” and “recent” posts by location, and your brand photos will live among the posts from your customers or visitors when they use a geotag while posting about or from within your business.

The “View Information” button within the geotag can link to information about the business. The geotag functions can help with brand awareness and allow potential customers to research your business and see what others have posted about you.

Promote your Instagram on other social media channels
If you have an engaged following on other social networks, let them know you’re on Instagram. Let them know what kind of content you’ll be posting – that way, they can decide if it’s worth their time to follow you in multiple locations. Additionally, use Instagram stories and crosspost them to your Facebook page to help you reach new audiences and increase the likelihood you’ll get the follow on Instagram.

Grow your reach with Instagram ads and campaigns
Instagram ads can get your content in front of a broad, targeted audience and help you reach your goals faster. You can “boost” your social posts to a wider audience or create specific advertisements for products or services. Instagram ads increase the reach of your content as well as include call-to-action buttons. These features help reduce the steps to get viewers to your website or store from the app.

You can buy Instagram ads through their platform. You set a maximum budget of what you’d like to spend for the entire time the ad runs. Costs for Instagram ads can average around $.50 to $1 per click, or cost per click (CPC). You can try out Instagram ads with a small budget and track the insights to see if it’s the right strategy for your business. It can be an effective and targeted way to reach prospective customers in the right stage of their buyer journey.

 

Consider working with influencers
Influencer marketing is a great way to build a loyal Instagram following. Instagram influencers are basically people who post a lot of content and have a lot of engaged followers. Influencers often work with brands and businesses to help generate interest in their products and services.

The thought of influencer marketing can seem intimidating to smaller businesses but consider working with micro-influencers: content creators with a smaller but dedicated following, often in local markets or within specific categories like food, crafts, etc. Look for popular content creators within your industry with small or large followings that might be interested in your brand.

Think about your own Instagram follower customer base. You could already have an influential (or budding) brand ambassador following you – consider making a collaboration official. The more genuine the relationship between a brand and influencer, the better.

 

They found you on Instagram – now deliver the great experience you showed them
Instagram growth for your business doesn’t need to be scary or a herculean effort.

With the right resources and planning, you can achieve your marketing goals with new followers and more. After all, it’s about your brand’s ability to connect with real people and showing them great content about what you do best: provide great products or services.

At Heartland, we love helping businesses succeed –– online and offline. That’s why we offer training and resources like our free Unstuck Playbook. This training walks you through easy and effective strategies to get your business from surviving to thriving. We also offer solutionsranging from payments and point of sale to customer engagement and employee management to help entrepreneurs focus on the big picture of their business.

Women’s History Month – Recognizing Women Across Florida’s Hospitality Industry

Posted on

March 4, 2022

In recognition of Women’s History Month, this March, FRLA will be highlighting interviews with women across Florida’s hospitality industry. Not only is Women’s History Month an opportunity to reflect on the achievements of women worldwide as well as the challenges they still face, but it is also a great time to highlight women hospitality professionals across the Sunshine State. At a time when the state is still recovering from the COVID-19 pandemic and many women are re-entering the workforce. we are proud to highlight all they contribute to our communities, our industry, and our state.

We will share stories and insights from these women across hotels and restaurants, from all levels of experience. We hope you will follow our stories on this blog and across social media and help us to celebrate the amazing women in Florida’s hospitality industry.

The first Women’s History Day was celebrated in 1909 on the anniversary of protest of 15,000 women against terrible working conditions in factories across New York. As decades progressed, the recognition changed to Women’s History Week, and in 1987, the observance shifted to what we now know as Women’s History Month. Since then, each year the U.S. President issues a proclamation for Women’s History Month in March. For 2022, the theme is “Women Providing Healing, Promoting Hope.” The theme is focused not just on female caregivers and frontline workers but also recognizes the caring nature across women of all cultures throughout history.

In Florida’s hospitality industry, women serve at all levels as they create meaningful experiences for our guests. In our first interview – to be shared in the coming days – we highlight Regional Manager of Innisfree Hotels and FRLA Board of Directors Chair Olivia Hoblit. She discusses how one of the most important aspects of female leaders is caring for others. She extends this approach to more than just guests but also to coworkers, team members, and others across her community. She was mentored as she was coming up in the industry, and she wants to help and invest in others and pay it forward to ensure women of great talent can succeed.

We can’t wait to share her story with you. Until next time!

Governor Ron DeSantis Launches Donation Portal for Southwest Florida Tornado Survivors Following Federal Government’s Decision to Deny Assistance

Posted on

Pledge donations or request assistance here.

Following the federal government’s denial of Florida’s request to provide assistance to individuals impacted by the tornadoes that touched down in Charlotte and Lee counties on January 16, Governor Ron DeSantis and the Florida Division of Emergency Management (FDEM) launched a donation portal to provide immediate relief for disaster survivors impacted by the tornadoes. The donation portal is available at FloridaDisaster.org/Assistance
“We cannot continue waiting on the federal government to provide relief to these Floridians,” said Governor Ron DeSantis. “After meeting with survivors last week, it’s clear they still need our help. We’ve helped community leaders launch this portal to expedite assistance for impacted residents and we’re going to ensure they get help.” 
“These donations are going to directly provide assistance to our disaster survivors who need it most,” said FDEM Director Kevin Guthrie. “The Division is working around the clock to connect disaster survivors with this vital resource, which will help them recover faster and begin to rebuild after experiencing extensive devastation.”  
The State of Florida is partnering with the Charlotte Community Foundation to collect and disburse donations for disaster survivors. All donations made through the FloridaDisaster.org/Assistance portal are tax deductible.
At this time, donations will be prioritized for survivors whose homes were assessed as being destroyed or sustaining major damage, per FEMA criteria through previous Joint Preliminary Damage Assessments. The State is coordinating with Charlotte and Lee counties to connect survivors directly with the portal. 
Disaster survivors can also request assistance at FloridaDisaster.org/Assistance. This page provides disaster survivors with information on how to register an account through the portal and how to request assistance. 
If you are a survivor whose home was determined to be destroyed or sustaining major damage, you can call 833-930-3707 to be connected with the donation portal. The donation portal call center is available to survivors seven days a week from 8 a.m. – 8 p.m. 

3 Ways to Boost QSR Hiring Strategy

Posted on

It’s no secret that 2020 highly impacted the entire hourly workforce — and how we hire them. Turnover rates in restaurants have reached a new high with a turnover rate of more than 140%. Restaurant owners are having a hard time getting employees who left the industry to come back, and when they are ready to re-enter the workforce, they are applying to 5-6 jobs at a time. And because restaurants are understaffed, GMs are spending time covering shifts instead of actively hiring, growing the team, or improving the customer experience.

With stakes as high as they’ve every been, its more important than ever to take a look at your current hiring process, and ensure you are following these three hiring tips.

  1. Leverage Technology – With the right technology in place, your GMs can eliminate historically time-consuming tasks. Using the right tools, you can get more eyes on your job posting, automatically engage and screen applicants, give employees the ability to schedule their interviews through their phone, and ultimately free your GMs to focus more on the restaurant, the team, and the customer experience.
  2. Create a referral program – You may be receiving great organic referrals from your employees already, make sure you’re incentivizing them to send more candidates your way. Doing so will increase the quality and quantity of your applicants.
  3. Diversify your job board platforms – QSRs are even finding recent success with using social media platforms such as Facebook and TikTok to find new candidates. If you’re still using only job boards, you are missing out on an increasing number of new applicants who have moved on to other channels.

 

It’s time to use hiring that just works. Workstream is a text-based recruitment and hiring tool that was built for the hourly workforce.  Enabling companies to track applicants in a dashboard and communicate with candidates via text, enables candidates to upload short videos of themselves and provides analytics and works to automate onboarding.

Be the first to respond to applicants, the first to get them hired, and be the first to be fully staffed. Workstream – hiring that just works. Visit workstream.us/frla to request a demo.

6 Steps to Recover After a Ransomware Attack

Posted on

By Kathy Ennis, CPA, Partner and Lena Combs, CPA, Partner

Ransomware is a type of cyberattack that can infect a system whenever a user interacts with a malicious link, website, or file. In a ransomware attack, the hacker encodes data that can only be retrieved by paying a ransom and obtaining the encryption key used for decoding. Ransomware attacks are continuing to rise at an alarming rate, with cybercriminals targeting businesses across virtually all industries. 

If you get infected by ransomware, follow these tips on how to recover from a ransomware attack:

 

  1. Discover what kind of ransomware is attacking you – The best way to do this is to ascertain how much of your data you still have access to. There are two common types of ransomware, screen-locking and encryption-based, with each operating a little differently. Depending on the type of ransomware impacting you, there’s a chance that data recovery is still possible, and there may be a way to decode the encrypted files without having to pay the ransom. If you don’t have the internal resources to diagnose the type of ransomware you’ve been infected with, engage with a trusted cybersecurity firm for help.

 

  1. Disconnect from everything – The most important thing you can do is restrict ransomware impact by disconnecting your device, turning off the Wi-Fi, and preventing the virus from spreading throughout the network.

 

  1. Take a picture of the ransomware screen – When attacked, a note identifying the ransom will be displayed, including the amount to be paid and where to send the payment. Take a picture so the information is readily available for when the appropriate authorities are contacted.

 

  1. Enact your incident response plan – If you have one, enact your incident response policy immediately because this is a security breach. Follow the measures defined in your policy to ensure that the proper steps are taken, including notifying stakeholders of the breach.

 

  1. Attempt restoration from backups – If possible, you may want to restore your systems from any backups you have available. However, be cognizant that the ransomware may have been in your system for some time, so any backups could be compromised as well. Before restoring, make sure to deploy antivirus software through your system.

 

  1. Prevent it from reoccurring – Put measures in place to prevent future attacks. Protect your network with a phishing assessment and phishing awareness training. Understand your threat intelligence with an Open Source Intelligence Report (OSINT) Dark Web scan, and analyze your data privacy risks with Data Privacy Assurance. Ensure that you have an independent cyber insurance policy and conduct a risk analysis.

 

A proactive approach is the best way for businesses to help prevent a ransomware attack. In the event of a cyberattack, it is important for companies to investigate and immediately mitigate any impacts.

Withum is a forward-thinking, technology-driven advisory and accounting firm, committed to helping clients in the hospitality industry be more profitable, efficient, and productive in the modern business landscape. For more information, visit www.withum.com

How To “Be A Fuel For Good”

Posted on

While it always feels satisfying in the moment to receive gifts or do things for yourself, most people would agree helping others provides the ultimate gratification. This is why Gas South has built giving back into the core of our company and who we are, recognizing that everything we do should further our mission to “Be A Fuel For Good.” From a corporate level, we’ve seen the incredible impact this has had on our culture, so here is our three-step guide to giving back:

 

Identify a Cause

There are so many people that need help in the world, while we wish we could have an impact on everything and everyone, it simply isn’t possible. That’s why it’s important to identify a cause you are passionate about as a starting point. At Gas South, our “North Star” is helping children in need, which provides a clear focus and directive when seeking organizations to support.

 

Quantify Your Gift

When it comes to monetary contributions, create a benchmark or goal to dictate your impact. Considering how revenue can fluctuate, we recommend dedicating a consistent percentage of your annual profits to your cause. At Gas South, we pledge to share 5% of our annual profits with children in need, so everyone in the organization knows our commitment level to the community. We are incredibly proud to have given more than $7.5 million to our charitable partners since 2005.

 

Time is Money

Donating money is an important component of giving back, but when it comes to truly enriching your team, nothing beats the hands-on experience of helping others. Aligning your employees with the cause you are supporting will further connect them to each other and the community, so when deciding where to donate money, don’t forget to look for organizations that provide opportunities to volunteer and lend a literal helping hand to others. At Gas South, our employees have volunteered nearly 1,600 volunteer hours in the last two years alone.

 

Considering the challenges presented by COVID-19 over the past 18 months, there have never been as many people in need as there are right now. And while giving back is the moral thing to do, it also provides tangible benefits for individuals and the organizations that unite them. That’s why Gas South constantly strives to “Be A Fuel For Good,” and it is our sincere hope others follow our steps to success and get more engaged with the communities we all serve.

 

Employee empowerment vs. enablement — a leadership conundrum

Posted on

By Vince Lombardo

As a leader, there are important responsibilities that naturally come with the job. These responsibilities may vary depending on your role, but one of the assumed responsibilities every leader has is the development of those around them.

Personal growth and development is not an occasional thing. While each individual must accept responsibility for their own growth and development, they often look to their leader to provide opportunities to help them achieve it. Many leaders fall short, and this is often where the “leading vs. managing” discussion begins. At the core of every opportunity to foster growth lies the decision to empower or enable.

Simply put, enabling is doing something challenging for another individual, while empowering is teaching them to do it for themselves.

One of my best childhood friends lived in a house where his mother did everything for him. His sole responsibility was to be a kid and enjoy life. He was not required to do the dishes, laundry, clean his room or make his bed. The Lombardo household was the complete opposite. If the trash was full and I didn’t notice, there was typically some form of feedback from my mom or dad. I used to be jealous of my friend’s situation, wishing I had it that “easy.”

Then we went to college, and this amazing thing happened: I was able to keep a clean living space and take care of myself — laundry, cooking, cleaning, etc. while my friend was completely lost. He was living in a world where he struggled to function with basic everyday tasks. I was suddenly grateful for the upbringing provided by my parents.

Picture this: you receive a phone call from one of your teammates asking a question about whether a widget works with a certain system. They have access to a reference tool that easily answers the question and a support team they can call, yet they seek help from you. If you want to be like my friend’s mom and create people who are dependent, go ahead and answer the question. If you want to coach independent thinkers, teach them where to get the information and encourage them to seek it out for themselves.

The issue with the leader who enables is the scalability of their bandwidth. If you become the person your entire team depends on, your team can only be as big and productive as your work week can support. When you add middle management that copies this behavior, the same thing happens, just on a different scale.

Empowering people is the key to limitless potential. Empowerment gives people the tools, the power and the opportunity to think and do for themselves. When you empower people, you develop independent thinkers and doers, creating possibilities to achieve at any level they desire.

The leader who empowers is the leader who provides the path for people to discover their own ability.

When considering all of the situations we encounter with our teammates, you might realize how frequently this occurs. In fact, I bet that a sales leader encounters more than two or three dozen opportunities a day to ask questions or point people in the direction to solve a problem rather than simply answering it for them.

If you’re wondering, “How do I recognize the difference between enabling and giving advice or coaching?” the answer is simple. If you are being asked to provide an answer, a solution or a recommendation, stop and ask yourself this question: Am I doing something for them, or am I giving them the tools to do it for themselves?

Within that answer lies the solution.

Next time your phone rings or your inbox dings with a need from someone around you, take the time to consider your answer. Make the choice to give people the power to become independent rather than giving the solution that makes them dependent. It is not only wise, but it is your responsibility as a leader to facilitate their personal development. It will make a huge difference as you build for the future.

Vince Lombardo is President, U.S. Payments and Payroll Solutions, Heartland.Vince has been with Heartland for 16 years, growing the company into one of the largest providers of payments, POS and payroll solutions in the U.S.

Protect yourself from Cyber Intrusions

Posted on

by Eric Shapiro

Cyber hacks are very much on the rise. What most people don’t understand is that hackers are usually not targeting any business specifically. Usually, they are using bots to troll the net looking for companies with weak security controls. Or they are sending out blast phishing emails hoping a naïve employee will click on a link or open a document that is infected with malware.  Or they are creating social engineering scams to try to dupe people into wiring funds to the wrong bank accounts. Because these efforts are widely distributed and many bad actors are doing this, all companies are vulnerable. There are things all companies can do to stay vigilant and try to protect themselves beyond the usual firewalls, VPNs, etc.:

 

  1. Implement Multi Factor Authentication (MFA) – This should be used for anyone that can access your system remotely.
  2. Implement End Point Detection – This will help your IT staff continually monitor and respond to cyber threats.
  3. Train, Train, Train – Make sure your entire staff understands the threat and stays vigilant against opening the wrong attachments. Do phishing exercises regularly.
  4. Put controls in place around Wire Transfers – Make sure anyone that has the ability to do wire transfers is trained to correctly, verbally, confirm the details of all wires.

 

Due to the increase in frequency and severity of cyber-attacks, Cyber Insurance has become more expensive and more difficult to get.  It’s also become much more important to have. Carriers are now requiring their insureds to have these controls in place before they will provide insurance. When completing the application for insurance pay close attention to the questions about controls and answer them honestly. If you do not have all these controls in place, you will probably be required to implement them so have a plan in place and articulate that. Work with your insurance agent to get the proper coverage based on your exposure. Terms and conditions vary widely in the marketplace so be very careful to make sure you get the best coverage you can. Remember, especially with cyber, you get what you pay for so don’t just buy on price.

Eric Shapiro is the Regional President for Socius Insurance.

Ransomware: What Every Restaurant and Lodging Business Must Know

Posted on

Al Saikali
Chair, Privacy & Data Security Practice
Shook, Hardy & Bacon, LLP

Ransomware attacks have sucked billions of dollars from American companies. Not just in ransoms paid, but also in lost revenue, the costs incurred restoring systems and investigating the incident, and the cost of class action lawsuits that have followed when customer/employee personal information is impacted. This article addresses some of the most common questions about ransomware and provides suggestions on ways to mitigate that risk.

What Is A Ransomware Attack?

Ransomware is a form of malware that encrypts (locks) your data and prevents access unless you unlock the data with a decryption key. There are three stages to a ransomware attack.

In the first stage, the threat actor (“the bad guy”) exploits an existing weakness (vulnerability) in your network. This vulnerability could be an open remote desktop protocol port, an employee who clicks on a phishing link, or unpatched software for an application or server/firewall. This stage gives the threat actor a foothold in your organization.

In the second stage of the attack, the threat actor performs reconnaissance in your network to identify and often exfiltrate/steal your data.

In the third stage, the threat actor deploys the ransomware that begins encrypting your files.  Without effective monitoring tools, all you will see is the end result when you turn on your computer, cannot access files because they’re encrypted, and find a ransom note threatening to release the stolen data on the dark web unless you pay a ransom.

The analogy I like to give clients is to imagine if you were to leave your house for the weekend but your front door and a couple of windows are unlocked.  Those unlocked doors/windows are your vulnerabilities. A burglar will test your doors and windows until he finds an unlocked one and uses it to access your house (i.e., exploit your vulnerability). Once inside, he will perform reconnaissance – looking around your house to find where your valuable items are hidden – and he will steal (exfiltrate) some of your items in the process. Imagine if, before the burglar leaves your house, he goes around changing all the locks so you can no longer access your house. When you return home you realize your key doesn’t work anymore. You see a note on your front door that says, “If you want to re-enter your house you must pay me $5,000,000 in Bitcoin; and I stole your valuable/sensitive items, so unless you pay me in the next 72 hours I will sell everything I stole on the Dark Web.”  That is essentially a ransomware attack.

What To Expect When Under Attack?

When you are under attack, you can expect to lose access to critical functions as the encryption spreads like a virus throughout your connected network. Your access will be down for at least a few days and potentially even a few weeks. You will receive questions from employees, customers, business partners, and the media asking what is happening. You should expect to spend tens or hundreds of thousands of dollars, at minimum, responding to the incident. The good news is there are steps you can take to mitigate these risks.

Responding To The Attack

Like a boxer punched in the face by Mike Tyson, you will initially panic and be stunned when you first realize you are under attack. Try to set aside the panic (and the pain) to focus on some key initial steps that will help you recover:

  • Contact your cyber insurance carrier immediately. The carrier will provide you with experts who can help restore your data, contain and eliminate the threat, identify and fix the vulnerability, negotiate with the threat actors (even if you need to buy more time), and advise you on your legal obligations.
  • Do not erase anything and do not provide the only copies of your servers/workstations to third parties. These devices hold important information about the nature of the attack that the forensic firm will need to help you recover.
  • Begin the process of restoring your information from backup.
  • Operationally, you may need to start using an alternative method of communication while the recovery and remediation efforts are underway. You may also need to use a backup method of doing business, whether that is old-fashioned paper and pen or using personal laptops. (By the way, the lesson here is not “you’re better off just doing business the old-fashioned way with paper and pen” – that method may avoid a ransomware attack but it creates much larger data breach and security issues.)
  • Work with your newly engaged cybersecurity experts to contain the threat, close the vulnerability, and identify which files may have been stolen or accessed.
  • Your legal counsel will ensure you are: (a) meeting legal requirements to preserve certain evidence; (b) performing the forensic investigation under privilege; (c) issuing statements to employees, customers, and business partners that don’t create additional liability; (d) notifying the right law enforcement entities; and (d) notifying third-parties and customers whose data may be impacted in the manner required by law.

Are You Allowed To Pay A Ransom? 

There are instances where paying a ransom may be necessary. For example, where data your organization needs to survive has been encrypted and you cannot restore your system using your backup files (either because the backup files were also impacted or because they don’t exist). Another example is where sensitive customer data has been stolen and there is a threat to release that data on the dark web.

An initial question is whether the threat actors will actually provide the decryption key or delete the stolen data if they are paid the ransom.  Usually, yes. Their business model does not work unless they do.

So when is it illegal to pay a ransom? The law prohibits transactions that directly or indirectly benefit certain individuals/terrorist organizations on a list maintained by the Department of Treasury’s Office of Foreign Assets Control (OFAC). You cannot pay anyone on that list, and doing so may result in criminal and civil penalties. If you decide to make a ransom payment, the company you hire to facilitate that payment will first perform an “OFAC check” to ensure the payment you are about to make is not being made to an entity on that list.

Who Do I Need To Notify About The Attack?

If the threat actor accessed certain sensitive information (e.g., customer/employee personal information, or proprietary/sensitive information of business partners) there may be a legal obligation to notify those third parties whose information is impacted. There may also be an obligation to notify state attorneys general or other regulatory authorities. In some instances, your contracts with business partners may require that you notify them even if there is no proof that their information has been impacted. Your lawyer should be guiding you on these obligations, the timing of notice, and the content of that notice.

But even if there were no legal obligation to notify, you may want to consider providing an informal update to customers and business partners about what is happening. If you decide to do this, it is incredibly important to work with legal counsel on this messaging because one wrong word could create a potential negligent misrepresentation or deceptive trade practice claims.

The Risk of Class Action Lawsuits and Regulatory Enforcement Actions

Unfortunately, we live in a litigious society driven by individuals who are incentivized to file lawsuits against victims of a cyberattack. When you notify customers/employees that their information was impacted by the ransomware attack, there is a good chance that a plaintiff’s lawyer will learn about the attack from the news, from your regulatory notification, from a statement on your website, or from an individual who received notice and has questions about it. Increasingly, those lawyers are filing class action lawsuits against companies that are victims of cyberattacks. They use social media to find potential clients “impacted by the XYZ data breach.” These lawsuits are usually looking for a quick settlement where each impacted person perhaps receives very little, but the lawyers receive hundreds of thousands of dollars in attorney’s fees.

There is also a lower risk that the Office of the Florida Attorney General will seek penalties against your business for: (a) failing to adopt reasonable security safeguards to protect sensitive consumer information; (b) taking too long to notify impacted consumers; or (c) making statements about the incident that were not accurate. This is why incident response preparation is as important to minimizing costs as the response itself.

How To Mitigate The Risks

The good news is that there are steps your organization can take to minimize the likelihood of an attack and the impact of such an attack.  From a technical perspective, one such measure is implementing multifactor authentication on any application, remote access protocols, email, or other sensitive information.

  • Multifactor authentication requires you to authenticate yourself in more than one way (e.g., something you know, like a password, and something you have, like a phone where you receive a text with a short code).
  • Ensure you are backing up your information securely, from an offline source that is not connected to your network.
  • Purchase cyber insurance. A cyber policy typically covers most costs you will incur when responding to a ransomware attack, including legal counsel, forensic experts, data restoration services, certain operational losses, and sometimes cyber-extortion costs (threat-actor negotiation services and payment of a ransom). It also typically covers the costs associated with class action lawsuits and regulatory enforcement actions.
  • Prepare an incident response plan, which is your roadmap for what to do if you ever fall victim to a cyberattack. The document describes who would need to be involved (internally and externally) and what steps to consider on operational, security, legal, and financial issues.
  • It is not enough just to have a plan; you need to test it. The individuals who would be involved in responding to a cyberattack should meet at least annually to walk through a simulated attack. You can hire a third-party cybersecurity firm or a good lawyer to moderate this exercise.
  • Perform cybersecurity training for all levels of employees/directors/owners of your company at least once each year.
  • Deploy endpoint-monitoring tools that are constantly searching for unusual behavior and malware on your network.
  • Minimize the amount of sensitive data you collect. If you do not need it, don’t collect/keep it. If you really need it, encrypt it.
  • Engage a third-party cybersecurity firm to assess your environment. Let them identify your vulnerabilities (unlocked doors/windows) and prioritize which ones you should fix in which order. Florida has some outstanding cybersecurity firms that can help you do this.

Conclusion

There are other security measures you can and should implement. Working with a third-party cybersecurity expert and legal counsel experienced in cybersecurity will help you identify which of those measures are right for your organization, and how to prioritize implementing them.

Al Saikali chairs the Privacy and Cybersecurity Practice at the law firm of Shook, Hardy & Bacon, LLP. He and his team regularly represent companies in preparing for and responding to cybersecurity attacks. If you have questions, you may contact Al at [email protected]