Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
You may recall the breach that spanned a few years; there was a good summary of the main events in a Business Insider article:
So, one company suffered a big breach exposing the sensitive data of 339 million people. Then another company two years later acquired the (as-yet-unknown) breached business. Then two years after that the breach was discovered.
What happened next?
Marriott now has to defend itself against the fine (or at least negotiate over the size of it).
The original problem, on Starwood’s watch, was a compromised database:
“The breach exposed sensitive guest data, including combinations of names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of births, genders, arrival and departure information, reservation dates, and communication preferences.
Some encrypted payment card numbers and expiration dates were also exposed, but the company didn’t confirm whether that payment information was safe due to its encryption in its initial statement in November.”
Clearly for Marriot, the events that caused all this occurred long before it had any responsibility for the Starwood business. However, the length of time between the deal and the breach being discovered afterwards makes it rather hard for them to claim zero responsibility for not identifying it. Either at the point of making the purchase, or as part of the on-boarding and integration of property, systems , data, networks and – in a real sense – any tangible corporate risks.
Ultimately, it is probably best to cite the ICO finding directly rather than trying to interpret the events all over again:
Marriott had “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”.
For any company buying another company, the findings of the ICO and the intended fine in this case, mean that some form of due diligence around cyber security posture and breaches (or likelihood) is going to become increasingly necessary.
In his blog post (here) Ian McCraw asserts that:
“No deal has ever been made worse by performing Cyber Due Diligence, a process that reveals a spectrum of Cyber-related strategic deal issues, hidden costs and operational risks before investing in a business”
The blog contains a good summary of M&A cyber risks. Some of these are obvious and should always get attention. They include general risks from cyber-crime based on the reported costs of this globally, the likelihood in terms of businesses affected, numbers of personal data records or value of IP assets and the sizes of fines that could be imposed based on turnover etc. But also risks to the deal itself, the transactions, the price paid being over what the true value is when IP/data security risks are factored in and the costs to integrate and manage cyber exposures as systems and networks are unified.
Some of these risks can be quantified or be derived from external factors or statistics, but it is important to understand the cyber posture of the business that is being acquired, and this needs to be achieved in a quick, un-intrusive but objective way.
It may not be possible to conduct a full in-depth cyber security review, penetration test and breach investigation for a business – that could be an expensive process and the bigger the organisation, the more complex the assessment and higher price tag.
One approach, which mirrors some oversight and cyber security reporting regimes being put in place at present, is to start with key performance indicators (KPIs) of the outcomes of the cyber security operational processes. Then use those KPIs to either gauge risk or to identify the level of cyber security culture or maturity as an indicator as to whether further examination is needed.
Good examples of data points to measure initially are the things that are often linked to data breaches – the state of operating system and application patching, the way in which privileged accounts are managed, the adequacy of backups and the controls put around user activity (prevention of malware at the end point etc).
If these areas of performance score highly or appear to be covered, then there is a decent level of basic cyber hygiene – and some trust in the ability of the environment can be gained. Subsequent due diligence efforts can focus on specifics of the customer database, the web front-end, the protection of IP – i.e. the “big ticket” items that could affect deal value or lead to future fines if they turn out to have been compromised. These risks can be examined in detail or insured against (with hopefully lower premiums given the foundations are solid) or priced into the transaction price.
If, on the other hand, these basic cyber security indicators show cause for concern then the buying entity has options. In the current cyber climate of “when not if” it might be safe (or at least defensible) to assume that an organisation with sloppy cyber security has already been breached or is highly likely to; hence that knowledge can drive negotiations on price or lead to much more in-depth studies of the extent of cyber risk or directly consider threat scenarios and searches for pre-existing “indicators of compromise” and enable discussions around where those costs sit – with the buyer directly, or as part of the seller’s undertaking to the buyer.
To reiterate the point made above, no deal has ever been made worse by considering cyber risks. Much better to find those out pre-deal during due diligence and price them in to the transaction than to get caught like Marriot did with the compromised Starwood database.
The sums involved (hundreds of millions of dollars) give credence to the assertion that considering cyber risk is vital. Marriot’s eventual fine might yet be reduced, but if one looks at the previous Verizon/Yahoo deal – Yahoo had been breached and Verizon ended up paying $350m dollars less for the business because of it. Either way, a big fine or taking a hit on the price paid/valuation, there is real money at stake.
It is important (as the aforementioned article agrees) to:
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.