Introduction
The recent Cybersecurity Audit done on the CyberOne Business and Causality Insurance revealed a number of serious gaps that existed in the Padgett-Beale Incident response plan. When the identified gaps and vulnerabilities are not well addressed, there will arise a significant loss of insurance coverage from CyberOne. For the company’s better future, it is vital that these gaps are addressed in the audit report. The audit found that the business’ operating units lacked detailed strategies to safeguard their data (““The hackers did this”: Data breach lawsuits and commercial general liability insurance,” 2022). CyberOne believes our business is unprepared to respond or stop a significant data breach. The shortcomings and lessons our company must take away from the costly error of a rival in our business will be identified in examining the following Marriot data breach. Industry best practices to remedy the weaknesses in the system will be suggested after the breach study has been evaluated. So that the best choices may be taken to address the audit results, these lessons and suggestions are being provided.
Analysis
The data breach in Marriott has been ranked among the largest data breaches globally, holding the second position of all time by many industry experts. The number of hotel guests affected by this breach was approximately 400,000,000, with a total loss of over three million US dollars. The breach began in 2014 when the personal data that the customers used to place their hotel bookings and reservations were taken by the attackers for their benefit. The good news is that Marriot already had a policy that provided coverage for some expenses related to the data breach (““The hackers did this”: Data breach lawsuits and commercial general liability insurance,” 2022). Because there are still prospective legal actions and regulatory and compliance fines, author Patrick Nohe makes the following statement in response to the unfortunate news. “Marriott’s cyber insurance could apply to some of those as well, but we don’t know enough about the policy to determine whether or not it will pay out.”
Customers and property owners are connected in the current hotel business model through online reservation platforms. Marriott paid $13.6 billion to purchase Starwood Hotels & Resorts. This merger would cost Marriott a lot of money and be bad for Marriott (Talesh, 2018). The Starwood Hotels & Resorts website’s reservation system was broken into during the transaction. By doing so, Marriott accepted the dangers and repercussions of the unidentified data breach. The hotel sector is now particularly susceptible to several security flaws. For instance, there have recently been security lapses at Hyatt Hotels Corp., Trump Hotels, and InterContinental Hotels Group.
After a thorough investigation, the Information Commissioner’s Office (ICO) concluded that Marriott International would experience a fine of ÂŁ99,200,396 for violations of the General Data Protection Regulation on behalf of the data protection authorities of the EU Member State and other applicable parties (““The hackers did this”: Data breach lawsuits and commercial general liability insurance,” 2022). Organizations like Marriott, in the opinion of ICO Commissioner Elizabeth Denham, must be made responsible for every data they control that is classified as sensitive and should exercise due diligence when making corporate acquisitions to put auditable accountability measures in place to identify obtained personal or sensitive data and ensure that it is secured. Author Bruce Sussman claims that the following data was specifically taken from the database: Email addresses, Names of the guests, phone numbers, dates of birth, passport numbers, arrival and departure information, communication preferences, and reservation dates.
The volume of data that was taken in this hack is astounding. Unfortunately for Marriott, the fines and legal actions that will follow will make this a very expensive error. What Marriott might have done to prevent this is a crucial point that has to be addressed. In her piece, Mullins Consulting, Inc.’s president and primary consultant, Joyce Wells, discusses what the business can learn from the Marriott data breach. On what steps Marriott should have taken to prevent this data leak, Craig Mullins was questioned (Talesh, 2018). Organizations may prevent the majority of these breaches with the right encryption, masking, and appropriate auditing software; nevertheless, these solutions are not widely used. Forcing good data protection is why there is a need for legislation.
Best Practices
Several suggested steps will need to be taken into consideration for Padgett-Beale to respond to the audit findings of CyberOne Business and Casualty Insurance and adapt to the changing dangers of data breaches. The solutions, procedures, and policies listed below are considered industry best practices and are intended to improve data breach response plans and policies. Adopting these suggestions will reduce the likelihood of a data breach, improve the effectiveness of reacting to breaches, and reduce any monetary or reputational harm to Padgett-Beale.
Training people
In order to boost the efficacy of a data breach response strategy, corporate workers must be trained and made aware of the situation. Employees won’t adhere to appropriate data breach response process standards if they are not aware of the strategy and policy. Additionally, personnel will benefit from training by being aware of and watchful for clues that a data breach is likely. Although skilled, the Padgett-Beale IT department cannot be present everywhere at once. The likelihood of discovering data breaches dramatically improves with trained and informed workers. It is advised that all corporate employees get training and awareness sessions at least once per quarter. At Padgett-Beale, the objective is to foster a culture that prioritizes security. This indicates that everyone, from senior executives to the newest hires, is informed and educated and that client data protection is significant.
Processes
The least privilege concept should be used to assure compliance and corporate data security. Users, systems, and procedures are all affected by this rule. It merely permits the minimum access necessary to carry out a task. Utilizing this idea will lower the chance of data breaches (Talesh, 2018. It is suggested that Padgett-Beal implement the notion of user accounts with the least privilege. If a system or device belonging to an employee is penetrated, the attacker will only have access to the bare minimum of that user’s privileges.
Developing policies
The incident response strategy must include both legal and regulatory compliance. Costly fines will inevitably arise from disregarding applicable requirements. The incident response plan must also be compatible with current plans and rules. The organization will avoid penalties and expensive legal actions thanks to these excellent practices (Jung, 2021). Additionally, it is strongly advised to ensure that the policy is tested and updated at least once a year. The Federal Trade Commission further notes that, depending on the jurisdiction, it may be legally mandated to notify victims of a security breach if it involves their personal information. If these guidelines are not followed, the firm might suffer irreparable damage.
Using Appropriate Technologies
The effectiveness of the data response policy may be increased by using the proper technology. A Network Traffic Analysis (NAT) solution should be selected and used. The NAT will watch over corporate network data transfer and search for suspicious anomalies (Jung, 2021). Additionally, Endpoint Detection and Response (EDR) will be used to track and spot data breaches and notify IT staff when threats are discovered.
Conclusion
Padgett-Beal must fill the vulnerabilities found during the CyberOne Business and Casualty Insurance audit. Addressing these gaps has two advantages for the business. In order to safeguard the company against penalties and legal fees in the worst-case situation, the CyberOne insurance coverage must first be renewed. Second, implementing the suggested fixes and best practice suggestions will improve the organization’s incident response strategy. Doing this will reduce the chance of a data breach, and the security of corporate data will always be maintained (Talesh, 2018). The capacity of the firm to conduct business will be jeopardized if the confidentiality, accessibility, and integrity of our data are not maintained. The following suggestions can be included in the incident response plan in order to address the discovered absence of particular strategies in the firm operational units.
The first approach is quarterly training and awareness while fostering a security-focused culture. Next, implementing the least privilege concept across all systems, users, and procedures will lessen the likelihood of data breaches. The incident response policy must then be tested and updated annually, along with identifying and observing the legal and regulatory compliance requirements. Finally, a Network Traffic Analysis and Endpoint Detection and Response solution has to be implemented in order to improve the effectiveness and capabilities of the data response strategy.
These suggestions will enable the development of a data response policy that is capable, compliant, and flexible enough to respond to any challenges our firm may face. Each operational unit at Padgett-Beal will have a data response plan and policy to follow after accepting these guidelines (Jung, 2021). The updated policy will fill the audit holes, and CyberOne Business and Casualty Insurance will be renewed. This can only be accomplished if every operational unit adheres to and uses the same updated data response strategy and policy.
References
Jung, K. (2021). Determinants of cyber loss occurrence and the financial impact of data breach risk in the U.S. market: Implications for the Korean insurance industry. Korean Insurance Journal, 127, 1-42. Web.
Talesh, S. A. (2018). Data breach, privacy, and cyber insurance: How insurance Companies Act as “Compliance managers” for businesses. Law & Social Inquiry, 43(02), 417-440. Web.
“The hackers did this”: Data breach lawsuits and commercial general liability insurance. (2022). Cyberinsurance Policy, 65-86. Web.