[Eye Opener] Lessons Learned from a Big Hotel's Recent Data Breach Caused By Social Engineering

Data Breach Social EngineeringThis week Marriott International, one of the largest hotel chains, suffered their second data breach of 2022. The attack by a group named 'Group with No Name' (GNN) took place in early June and they used social engineering to trick one of the hotel employees into granting access to that associate's computer.

Luckily the data breach only affected a few hundred users, but there are some valuable lessons to be shared on how important it is to implement new-school security awareness training across your whole organization.

Monthly short training reinforcement followed by simulated phishing tests

“Organizations need to ensure that all employees are frequently educated about social engineering, receiving training at least once a month followed by simulated phishing tests, to see how well employees understood and applied the training,” said Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4.

Assess your employees for their strengths and weaknesses

KnowBe4 has a 10-minute Security Awareness Proficiency Assessment, grounded in recent research, to assess your user's susceptibility to cybercrime, and more specifically, their susceptibility in relation to your organization’s cyber security needs. Learn more about proficiency and culture assessments.

Employees found to be susceptible to a particular type of social engineering attack should be required to take more and longer training until they have developed a natural instinct to recognize these types of attacks. This process can be fully automated with smart groups.

Above all: Don’t get a reputation as an easy target

This latest data breach reveals that organizations can’t afford to gain a reputation as an easy target. If your org falls victim to a data breach, then there’s a high likelihood that other attackers will attempt to target you again, making the assumption that your organization has weak security controls.

A good example is a recent CyberReason report that shows that 73% of all organizations have experienced a ransomware attack in the last 12 months, and of those that were attacked, the question of paying whether the ransom was paid always comes up. But even after paying the ransom, 80% experienced a second attack and 68% were asked for a higher ransom!

The only way to avoid this predicament is to implement the latest detection and response solutions and investing in frequent security awareness training to help employees embrace security best practices and so that they become an effective last line of defense.

Here are 10 more best practices that you can make your organization a hard target:

  1. Integrate as many of your security layers as possible into an XDR solution
  2. Deploy and enforce multi-factor authentication for the maximum amount of users
  3. Make sure to always have weapons-grade off-site backups in place and test your restore function regularly
  4. Make sure URL filtering is tuned correctly for your next-gen Secure Email- and Web Gateways
  5. Make sure your endpoints are patched, both the OS and all 3rd party apps
  6. Review your internal financial security policies and procedures, to prevent CEO fraud
  7. Check your firewall configuration and make sure no criminal network traffic is allowed out to C&C servers
  8. Make sure your social engineering training covers multiple attack vectors, not just email
  9. Work on your security budget to show it is increasingly based on measurable risk reduction
  10. With any ransomware infection, nuke the infected machine(s) from orbit and re-image from bare metal

Valuable education infographics such as our Social Engineering Red Flags PDF and more will teach your users to identify these types of attacks. Venture Beat has the full story with links . 

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews