What the Marriott International breach teaches us about social engineering 

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Yesterday, one of the largest hotel chains in the world, Marriott International, confirmed that it had suffered its second data breach of 2022, shortly after Databreaches.net broke the news after receiving an anonymous tip. 

During the breach, which took place some time in early June, a threat actor managed to gain access to an employee’s computer and obtained approximately 20 gigabytes of data including credit card details and confidential information about guests and workers, such as flight reservation logs. 

The attackers, dubbed the Group with No Name (GNN), appear to have orchestrated a social engineering attack targeting employees working at the BWI Airport Marriott in Maryland (BWIA), and managed to trick one of them into granting access to their computer. 

While the data breach has only affected 400 people, it highlights some valuable lessons for CISOs and security leaders, particularly with regard to the threat posed by social engineering threats, and the havoc that poor security awareness can wreak on an organization. 

What the Marriott Breach Reveals About Social Engineering 

The latest Marriott breach highlights that human error is one of the greatest risks to an organization’s security. All it took to exfiltrate the organization’s data, was for the threat actor to manipulate an employee into handing over access to their device.

In the realm of cybersecurity, manipulation is one of an attacker’s most effective weapons. Unlike exploits or brute force attacks that target endpoints or IT systems that can be patched or mitigated consistently, human beings aren’t perfect, and easily make the mistake of handing over login credentials or exploitable information. 

“A primary mechanism being used by adversaries is social engineering. It’s simple and effective. And it means that initial compromise is dependent on human behaviors and is therefore impossible to prevent 100% of the time,” Said CEO and Founder of security operation and analytics provider, Gurucul, Sarya Nayyar. 

“All it takes is one successful compromise to circumvent most preventative controls,” Nayyar said. 

It is for this reason that the number of social engineering attacks reached 25% of total breaches in 2022, and why the human element (social engineering, errors and misuse) accounts for 82% of breaches this year. 

Even employees with high security awareness aren’t immune to being caught off guard, particularly when the average organization is targeted by over 700 social engineering attacks each year.

How organizations can respond to social engineering 

One of the simplest ways organizations can address social engineering threats is with security awareness training, which teaches employees security best practices, what phishing, social engineering and other manipulation attempts look like, so they can avoid sharing any valuable information with cyber criminals. 

“Organizations need to ensure that all employees are frequently educated about this type of social engineering, receiving training at least once a month followed by simulated phishing tests, to see how well employees understood and deployed the training,” said defense evangelist at KnowBe4, Roger Grimes. 

“Employees found to be susceptible to this particular type of phishing attack should be required to take more and longer training until they have developed a natural instinct to out these types of attacks,” 

For extra security, Nayyar recommends that organizations implement a detection program, to monitor and identify risky access controls and user behaviors to detect abnormal or deviant activity, to not only defend against external threats, but also internal threats. 

It’s important to note that detection and response is an area where many enterprises are lacking, with research showing that 36% of mid-size organizations don’t have a formal incident response plan in place.

Above all: Don’t get a reputation as an easy target

Finally, this latest data breach reveals that enterprises can’t afford to gain a reputation as an easy target. If your company falls victim to a data breach, then there’s a high likelihood that other attackers will attempt to target you again, making the assumption that your organization has weak security controls. 

“As this latest breach demonstrates, organizations that are victims of previous attacks are more likely to be targeted in the future. This attack does little to restore faith in Marriott’s data security following the massive beach of the data of 5.2 million guests in 2020,” said VP of Threat Intelligence at Egress, Jack Chapman. 

Given that this breach was the third of its kind that Marriott has experienced in the last four years, it is possible that other organizations are looking at the hotel chain as a potential target. 

The only way to avoid this predicament is to avoid being seen as an easy target – implementing the latest detection and response solutions and consistently investing in security awareness training to help employees embrace security best practices and mitigate human risk. 

Originally appeared on: TheSpuzz