At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Lessons Learned from a Big Hotel’s Recent Data Breach Caused By Social Engineering

    Recently Marriott International, one of the largest hotel chains, suffered their second data breach of 2022. The attack by a group named ‘Group with No Name’ (GNN) took place in early June and they used social engineering to trick one of the hotel employees into granting access to that associate’s computer.

    Luckily the data breach only affected a few hundred users, but there are some valuable lessons to be shared on how important it is to implement new-school security awareness training across your whole organization.

    Monthly short training reinforcement followed by simulated phishing tests

    “Organizations need to ensure that all employees are frequently educated about social engineering, receiving training at least once a month followed by simulated phishing tests, to see how well employees understood and applied the training,” said Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4.

    Assess your employees for their strengths and weaknesses

    KnowBe4 has a 10-minute Security Awareness Proficiency Assessment, grounded in recent research, to assess your user’s susceptibility to cybercrime, and more specifically, their susceptibility in relation to your organization’s cyber security needs. Learn more about proficiency and culture assessments

    Employees found to be susceptible to a particular type of social engineering attack should be required to take more and longer training until they have developed a natural instinct to recognize these types of attacks. This process can be fully automated with smart groups.

    Above all: Don’t get a reputation as an easy target

    This latest data breach reveals that organizations can’t afford to gain a reputation as an easy target. If your org falls victim to a data breach, then there’s a high likelihood that other attackers will attempt to target you again, making the assumption that your organization has weak security controls.

    A good example is a recent CyberReason report that shows that 73% of all organizations have experienced a ransomware attack in the last 12 months, and of those that were attacked, the question of paying whether the ransom was paid always comes up. But even after paying the ransom, 80% experienced a second attack and 68% were asked for a higher ransom!

    The only way to avoid this predicament is to implement the latest detection and response solutions and investing in frequent security awareness training to help employees embrace security best practices and so that they become an effective last line of defense.

    Here are 10 more best practices that you can make your organization a hard target:

    1. Integrate as many of your security layers as possible into an XDR solution
    2. Deploy and enforce multi-factor authentication for the maximum amount of users
    3. Make sure to always have weapons-grade off-site backups in place and test your restore function regularly
    4. Make sure URL filtering is tuned correctly for your next-gen Secure Email- and Web Gateways
    5. Make sure your endpoints are patched, both the OS and all 3rd party apps
    6. Review your internal financial security policies and procedures, to prevent CEO fraud
    7. Check your firewall configuration and make sure no criminal network traffic is allowed out to C&C servers
    8. Make sure your social engineering training covers multiple attack vectors, not just email
    9. Work on your security budget to show it is increasingly based on measurable risk reduction
    10. With any ransomware infection, nuke the infected machine(s) from orbit and re-image from bare metal

    Venture Beat has the full story with links . 

    Free Phishing Security Test

    Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

    Here’s how it works:

    • Immediately start your test for up to 100 users (no need to talk to anyone)
    • Select from 20+ languages and customize the phishing test template based on your environment
    • Choose the landing page your users see after they click
    • Show users which red flags they missed, or a 404 page
    • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
    • See how your organization compares to others in your industry
    Go Phishing Now!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top