The Marriott data breach exposing personally identifiable information (PII) on 500 million guests and attributed to the Chinese government reminds industries beyond hospitality to protect their critical assets.
The top cybersecurity lesson from the Marriott data breach is that your most critical assets should serve as the foundation for your cybersecurity approach.
Do you know what types of assets are most critical to your organization? Least critical? Your critical assets may be tangible, intangible, or a combination of both. Does your senior leadership team agree?
Once you have identified your most critical assets and have established agreement among your senior leadership team and other relevant stakeholders on the impact that a breach to those assets would have on operations, you can then build and prioritize your cybersecurity efforts around those assets.
As security costs increase and companies continuously look for ways to streamline costs, maximizing cyber risk investment is more critical than ever. This type of approach will help your leadership make the most informed cyber resource decisions.
Three more takeaways from the Marriott data breach:
1. Proactively seek to prevent and detect unauthorized access to your network. Marriott may not have been aware of the breach until late 2018, however, initial investigation indicates that the unauthorized access to the Starwood network may have occurred as early as 2014. Oftentimes, applications and databases are hacked without a target’s awareness. Multiple techniques can protect sensitive data and networks including encryption, integrity controls, rogue device detection tools, and firewalls.
2. Define, document, and rehearse your organization’s cyber incident response plan. It is not a question of “if” your organization will face a cyber incident, but rather “when”. We have seen data breaches consume organizations’ time, money, corporate image, and morale. The faster you are able to contain an incident the faster you will be able to mitigate harm to your organization. For example, after detecting the incident, Marriott has put resources towards the investigation, set up a dedicated call center for customer questions, and offered free identity monitoring in some areas. We saw similar responses in the aftermath of Equifax in 2017, Adult Friend Finder in 2016, and Yahoo in 2013.
3. Assess the privacy and security implications of a new enterprise technology prior to adoption. Hotel companies are experimenting with voice-operated technology and Internet-connected rooms. This means storing that could mean storing increasingly personal information, like biometric data, or what time guests prefers to sleep and wake. Introducing new solutions into your architecture while ensuring privacy can be challenging. In-depth privacy review of the data collected by the tool and review in a lab environment ensures that a particular tool meets your enterprise security goals.
No Industry or Sector is Safe from a Cyber Attack
The Marriott data breach hackers targeted health insurance companies and a U.S. government agency, possibly seeking to identify security clearance holders. Large organizations that have not publicly suffered a major cyber incident are prime targets for attackers assuming that they have not strengthened their defensive posture.
If you have not done so already, accept that no sector or industry is “safe” from a cyber attack. Although the trade war is with China today, it may be with another U.S. cyber adversary and affecting a different industry tomorrow.
Contact GPSG at cyberteam@gpsg.co for a free consultation on using encryption and integrity controls to strengthen your network’s defensive posture.