What Marriott and Quora did Wrong

network security, security, data breach, retrospective , Jan 9, 2019 4:18:36 PM

Really? Again?

When will companies learn how to properly protect their data?  Starting with Target and Yahoo in 2013, Sony and OPM in 2014, Ashley Madison in 2015, the Democratic National Committee in 2016, Equifax in 2017 and now Marriott and Quora back-to-back to cap off 2018, data breaches are becoming a mainstay in the news. It begs the question: what are so many of these organizations missing?  

And if it can happen to companies with big budgets like these, then how can a mid-market or small business be expected to keep up?

First, let’s take a look at the specifics of both breaches:

 

Marriott

Quora

Occurred

4 years ago

 Recent (investigation pending)

Disclosed

3 months after discovery

 3-4 days after discovery

Public Reaction

angry

 Timely, transparent, forthcoming


If your business has clients, then you most certainly have client data - and having a data protection strategy is crucial. We’ve done a simple start, stop, continue analysis to help understand what the foundation is for avoiding ending up on this hit list of hacked companies.

Start

Taking Data Seriously

If you aren’t already taking customer data seriously, you need to start now.  Companies ought to view it as a privilege to have access to their customer data and treat it as such.  Besides the moral component, most states or countries have disclosure timelines that need to be adhered to once a breach has taken place, and it takes longer to sign the contracts with the vendors that you’ll need than the disclosure requirements will allow.

Zero Trust

Ten years after the Zero Trust model was developed by John Kindervag of Forrester Research, it’s become the strategy of choice for data protection. Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.(1) Leading Zero Trust frameworks like BeyondCorp moves access controls from the perimeter to individual devices and users, avoiding a traditional VPN and permitting employees to work securely from any location.

Stop

Perimeter Defense is Dead

If it wasn't already known or understood, perimeter defense is dead.  Yes, you should still have a perimeter, but you can't assume someone hasn't or can't breach your perimeter. In fact, you should assume the opposite - that they can and will -- and then plan accordingly (keep reading).

It’s Time to Assume the Worst

Everyone should operate assuming they will be hacked. Stop hoping for the best and plan for the worst: How will you detect or know if you've been compromised? What is your incident response plan? How long will it take to execute?  Once you detect a breach it is too late to put these plans together.

Continue

Staying current with industry best practices and trends.  The industry and cloud providers are constantly building up their security offerings in response to security threats and industry demands.  Continuing to stay up to date on these new product offerings and implementing applicable solutions will ensure you will not accrue technical debt with regards to your infrastructure and security posture.  

Now what?

The people behind cyber attacks vary just as much as their motivation.  Sometimes the perpetrators are nation-states looking to collect intelligence, sometimes it is a criminal gang, sometimes it is a script kiddie, and sometimes it is just someone with a grudge. Organizations in the financial sector, government, and defense are probably more likely to be attacked, but really anyone with an online presence is a target.  


How can you tell if your company is ready for an attack? How would you fare if you were attacked today? 

 Free Checklist for AWS Migration Safe Data