Lessons Learned from a Big Hotel's Recent Data Breach Caused By Social Engineering
| Posted in Fraud Prevention
This week Marriott International, one of the largest hotel chains, suffered their second data breach of 2022. The attack by a group named 'Group with No Name' (GNN) took place in early June and they used social engineering to trick one of the hotel employees into granting access to that associate's computer.
Luckily the data breach only affected a few hundred users, but there are some valuable lessons to be shared on how important it is to implement new-school security awareness training across your whole organization.
Monthly short training reinforcement followed by simulated phishing tests
“Organizations need to ensure that all employees are frequently educated about social engineering, receiving training at least once a month followed by simulated phishing tests, to see how well employees understood and applied the training,” said Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4.
Assess your employees for their strengths and weaknesses
KnowBe4 has a 10-minute Security Awareness Proficiency Assessment, grounded in recent research, to assess your user's susceptibility to cybercrime, and more specifically, their susceptibility in relation to your organization’s cyber security needs. Learn more about proficiency and culture assessments
Employees found to be susceptible to a particular type of social engineering attack should be required to take more and longer training until they have developed a natural instinct to recognize these types of attacks. This process can be fully automated with smart groups.
Above all: Don’t get a reputation as an easy target
This latest data breach reveals that organizations can’t afford to gain a reputation as an easy target. If your org falls victim to a data breach, then there’s a high likelihood that other attackers will attempt to target you again, making the assumption that your organization has weak security controls.
A good example is a recent CyberReason report that shows that 73% of all organizations have experienced a ransomware attack in the last 12 months, and of those that were attacked, the question of paying whether the ransom was paid always comes up. But even after paying the ransom, 80% experienced a second attack and 68% were asked for a higher ransom!
The only way to avoid this predicament is to implement the latest detection and response solutions and investing in frequent security awareness training to help employees embrace security best practices and so that they become an effective last line of defense.
Here are 10 more best practices that you can make your organization a hard target:
- Integrate as many of your security layers as possible into an XDR solution
- Deploy and enforce multi-factor authentication for the maximum amount of users
- Make sure to always have weapons-grade off-site backups in place and test your restore function regularly
- Make sure URL filtering is tuned correctly for your next-gen Secure Email- and Web Gateways
- Make sure your endpoints are patched, both the OS and all 3rd party apps
- Review your internal financial security policies and procedures, to prevent CEO fraud
- Check your firewall configuration and make sure no criminal network traffic is allowed out to C&C servers
- Make sure your social engineering training covers multiple attack vectors, not just email
- Work on your security budget to show it is increasingly based on measurable risk reduction
- With any ransomware infection, nuke the infected machine(s) from orbit and re-image from bare metal
Valuable education infographics such as our Social Engineering Red Flags PDF and more will teach your users to identify these types of attacks. Venture Beat has the full story with links.