Introduction
The recent Cybersecurity Audit of CyberOne Business and Causality Insurance revealed a number of serious gaps in the Padgett-Beale Incident response plan. If the identified gaps and vulnerabilities are not well addressed, CyberOne will experience a significant loss of insurance coverage.
These gaps must be addressed in the audit report for the company’s better future. The audit found that the business’ operating units lacked detailed strategies to safeguard their data (“The hackers did this”: Data breach lawsuits and commercial general liability insurance,” 2022). CyberOne believes our business is unprepared to respond or stop a significant data breach. The shortcomings and lessons our company must take away from the costly error of a rival in our business will be identified in examining the following Marriot data breach. Industry best practices to remedy the weaknesses in the system will be suggested after the breach study has been evaluated. So that the best choices may be taken to address the audit results, these lessons and suggestions are being provided.
Analysis
The data breach in Marriott has been ranked among the most significant data breaches globally, holding the second position of all time by many industry experts. The number of hotel guests affected by this breach was approximately 400,000,000, with a total loss of over three million US dollars. The breach began in 2014 when the attackers took the personal data that the customers used to place their hotel bookings and reservations for their benefit. The good news is that Marriot already had a policy that provided coverage for some expenses related to the data breach (“The hackers did this”: Data breach lawsuits and commercial general liability insurance,” 2022). Because there are still prospective legal actions and regulatory and compliance fines, author Patrick Nohe makes the following statement in response to the unfortunate news. “Marriott’s cyber insurance could apply to some of those as well, but we don’t know enough about the policy to determine whether or not it will pay out.”
Customers and property owners are connected in the current hotel business model through online reservation platforms. Marriott paid $13.6 billion to purchase Starwood Hotels & Resorts. This merger would cost Marriott a lot of money and be bad for Marriott (Talesh, 2018). The Starwood Hotels & Resorts website’s reservation system was broken into during the transaction. By doing so, Marriott accepted the dangers and repercussions of the unidentified data breach. The hotel sector is now particularly susceptible to several security flaws. For instance, there have recently been security lapses at Hyatt Hotels Corp., Trump Hotels, and InterContinental Hotels Group.
After a thorough investigation, the Information Commissioner’s Office (ICO) concluded that Marriott International would experience a fine of £99,200,396 for violations of the General Data Protection Regulation on behalf of the data protection authorities of the EU Member State and other applicable parties (“The hackers did this”: Data breach lawsuits and commercial general liability insurance,” 2022). Organizations like Marriott, in the opinion of ICO Commissioner Elizabeth Denham, must be made responsible for every data they control that is classified as sensitive and should exercise due diligence when making corporate acquisitions to put auditable accountability measures in place to identify obtained personal or sensitive data and ensure that it is secured. Author Bruce Sussman claims that the following data was specifically taken from the database: Email addresses, Names of the guests, phone numbers, dates of birth, passport numbers, arrival and departure information, communication preferences, and reservation dates.
The volume of data that was taken in this hack is astounding. Unfortunately for Marriott, the following fines and legal actions will make this a very expensive error. What Marriott might have done to prevent this is a crucial point that has to be addressed. In her piece, Mullins Consulting, Inc.’s president and primary consultant, Joyce Wells, discusses what the business can learn from the Marriott data breach. Craig Mullins was questioned on what steps Marriott should have taken to prevent this data leak (Talesh, 2018). Organizations may prevent most of these breaches with the proper encryption, masking, and appropriate auditing software; nevertheless, these solutions are not widely used. Forcing good data protection is why there is a need for legislation.
Best Practices
Several suggested steps will need to be considered for Padgett-Beale to respond to CyberOne Business and Casualty Insurance’s audit findings and adapt to the changing dangers of data breaches. The solutions, procedures, and policies listed below are considered industry best practices and are intended to improve data breach response plans and policies. Adopting these suggestions will reduce the likelihood of a data breach, improve the effectiveness of reacting to breaches, and reduce any monetary or reputational harm to Padgett-Beale.
Training people
In order to boost the efficacy of a data breach response strategy, corporate workers must be trained and made aware of the situation. Employees won’t adhere to appropriate data breach response process standards if they are unaware of the strategy and policy. Additionally, personnel will benefit from training by being aware of and watchful for clues that a data breach is likely. Although skilled, the Padgett-Beale IT department cannot be present everywhere at once. The likelihood of discovering data breaches dramatically improves with trained and informed workers. It is advised that all corporate employees get training and awareness sessions at least once per quarter. At Padgett-Beale, the objective is to foster a culture that prioritizes security. This indicates that everyone, from senior executives to the newest hires, is informed and educated and that client data protection is significant.
Processes
The least privilege concept should be used to assure compliance and corporate data security. Users, systems, and procedures are all affected by this rule. It merely permits the minimum access necessary to carry out a task. Utilizing this idea will reduce data breaches (Talesh, 2018. It is suggested that Padgett-Beal implement the notion of user accounts with the least privilege. If a system or device belonging to an employee is penetrated, the attacker will only have access to the bare minimum of that user’s privileges.
Developing policies
The incident response strategy must include both legal and regulatory compliance. Costly fines will inevitably arise from disregarding applicable requirements. The incident response plan must also be compatible with current plans and rules. Thanks to these excellent practices, the organization will avoid penalties and expensive legal actions (Jung, 2021). Additionally, it is strongly advised to ensure the policy is tested and updated at least once a year. The Federal Trade Commission further notes that, depending on the jurisdiction, it may be legally mandated to notify victims of a security breach if it involves their personal information. If these guidelines are not followed, the firm might suffer irreparable damage.
Using Appropriate Technologies
Using the proper technology may increase the effectiveness of the data response policy. A Network Traffic Analysis (NAT) solution should be selected and used. The NAT will monitor corporate network data transfer and search for suspicious anomalies (Jung, 2021). Additionally, Endpoint Detection and Response (EDR) will track and spot data breaches and notify IT staff when threats are discovered.
Conclusion
Padgett-Beal must fill the vulnerabilities found during the CyberOne Business and Casualty Insurance audit. Addressing these gaps has two advantages for the business. To safeguard the company against penalties and legal fees in the worst-case situation, the CyberOne insurance coverage must first be renewed. Second, implementing the suggested fixes and best practice suggestions will improve the organization’s incident response strategy. Doing this will reduce the chance of a data breach, and corporate data security will always be maintained (Talesh, 2018). The capacity of the firm to conduct business will be jeopardized if the confidentiality, accessibility, and integrity of our data are not maintained. The following suggestions can be included in the incident response plan to address the discovered absence of particular strategies in the firm operational units.
The first approach is quarterly training and awareness while fostering a security-focused culture. Next, implementing the least privilege concept across all systems, users, and procedures will lessen the likelihood of data breaches. The incident response policy must then be tested and updated annually, identifying and observing the legal and regulatory compliance requirements. Finally, a Network Traffic Analysis and Endpoint Detection and Response solution has to be implemented to improve the effectiveness and capabilities of the data response strategy.
These suggestions will enable the development of a data response policy that is capable, compliant, and flexible enough to respond to any challenges our firm may face. After accepting these guidelines, each operational unit at Padgett-Beal will have a data response plan and policy to follow (Jung, 2021). The updated policy will fill the audit holes, and CyberOne Business and Casualty Insurance will be renewed. This can only be accomplished if every operational unit adheres to and uses the same updated data response strategy and policy.
References
Jung, K. (2021). Determinants of cyber loss occurrence and the financial impact of data breach risk in the U.S. market: Implications for the Korean insurance industry. Korean Insurance Journal, 127, 1-42. Web.
Talesh, S. A. (2018). Data breach, privacy, and cyber insurance: How insurance Companies Act as “Compliance managers” for businesses. Law & Social Inquiry, 43(02), 417-440. Web.
“The hackers did this”: Data breach lawsuits and commercial general liability insurance. (2022). Cyberinsurance Policy, 65-86. Web.