Marriott International — the multinational hospitality company behind the third-largest hotel brand in the world — reported a major data breach on March 31 2020, marking its second major data breach in the last two years. This data breach is expected to leak the information of 5.2 million guests worldwide.

“Marriott said Tuesday approximately 5.2 million guests worldwide may have been affected. The information taken may have included names, addresses, phone numbers, birthdays, loyalty information for linked companies like airlines and room preferences. Marriott said it’s still investigating but it doesn’t believe credit card information, passport numbers or driver’s license information was accessed,” reported ABC News. In February-end, Marriott found a massive amount of guest information was being accessed using two of its employees’ user credentials.

After an initial investigation, Marriott believed that the data breach probably started in mid-January. It blocked those login credentials, and now, it is assessing the situation and assisting the relevant authorities for investigating the data breach. Though Marriott is doing everything to fix the problem now, it is no good news seeing it suffered two major data breaches in less than two years.

In November 2018, Marriott reported the first major data breach, which leaked the personal information of 383 million people. So, the combined amount of data that got leaked in these two data breaches totals to 388.2 million. Moreover, after the last major data breach, it was expected that Marriott will harden its cybersecurity infrastructure, train its security teams, and upgrade its systems. However, the latest data breach raises questions on its efforts to fight threats.

This brings us to the question: how does an organisation check and validate its security infrastructure? The answer: cybersecurity risk assessment.

Let’s learn more about it and how it helps organisations to test their security postures.

Cybersecurity risk assessment is the risk assessment of cyber or digital threats. It has become increasingly important since every organisation — nowadays — implements and relies on information technology and systems for running its business. Since it heavily relies on these digital systems, a small breach, hack, or malfunction may pose high risks.

As risk assessments are necessary for every organisation for getting informed and preparing for unexpected issues or risks like industrial malfunctioning and manufacturing defects and deaths, cybersecurity risk assessments are critical for knowing and preparing for unexpected cyber threats. The list of threats includes but is not limited to data breaches, insider or online attacks, etc.

“Risk assessments are used to identify, estimate, and prioritise risk to organisational operations (such as mission, functions, image, and reputation), organisational assets, individuals, other organisations, and the Nation, resulting from the operation and use of information systems. The purpose of risk assessments is to inform decision makers and support risk responses by identifying: (i) relevant threats to organisations or threats directed through organisations against other organisations; (ii) vulnerabilities both internal and external to organisations;(iii) impact (i.e., harm) to organisations that may occur given the potential for threats exploiting vulnerabilities; and (iv) likelihood that harm will occur,” according to NIST’s Guide for Conducting Risk Assessments.

Similarly, cyber risk assessment— is the term defining the process of assessing the cyber or digital risks facing your business or organisation. Its primary goal is to help the board members and decision-makers to understand the organisation’s cybersecurity infrastructure and install and support the best risk mitigation processes for fighting off — or at least decreasing the cyber risks of — both online as well as offline threats.

There are numerous examples and reasons that prove the importance of cyber risk assessments. The data breaches reported by Marriott International are great examples; if Marriott’s security infrastructure was attack-proof, it might not have suffered the data breach — at least the second one. Every customer (guest) making a reservation at Marriott after the first breach in November 2018 must have believed in its promise of hardening its security infrastructure. However, it failed — super hard — at keeping its promise. Though the investigation is still in progress for the second breach, Marriott had — probably — a gap in their security posture that led to the data breach. What could have been done?

Even if the two employees — whose login credentials were used for the second data breach — were involved in the breach, its security systems should have detected and reported massive data requests coming from systems at a single location or origin. And if detected and reported, its security teams should have checked the issue and identified the data breach earlier — ideally. However, it is evident that they did not detect or find the massive breach until recently.

That said, every organisation must perform cybersecurity risk assessments on a regular basis. It helps the organisation to identify its security weaknesses, inform the security teams as well as decision-makers, and harden or install the necessary cybersecurity processes and products to improve the overall security. Moreover, it reduces the long-term costs, provides awareness on the installed processes and systems, helps avoid data breaches and security incidents, and helps meet the legal and regulatory cybersecurity requirements. These, in turn, helps strengthen your brand and avoid unnecessary costs or risks. Also, it builds trust in your present and future customers for your organisation.

Picture credit: "Marriott Hotel", by José Carlos Cortizo Pérez, used under CC BY 2.0