How using the Gartner cyber security CARTA model can help secure customer data
The disclosure by hotel chain, Marriott, that the personal details of up to 500 million guests may have been compromised is a cyber security wake-up call for companies that store customer details—including in the cloud.
The potential theft of millions of passport details ̶ reported on Friday, 30 November ̶ could prove expensive. According to US magazine, Fortune, Marriott will offer to reimburse customers the cost, if fraud has been committed and customers need new passports.
For companies that store customers’ financial and personal details, the breach highlights two key issues that need to be addressed in corporate cyber security policies.
First, cyber prevention requires vigilance. The Marriott breach was detected more than two years after it first occurred. This is a sobering thought for chief information officers. Just because your systems and people have not detected a breach, that doesn’t guarantee that a breach hasn’t occurred.
The second issue is agility. Cyber security is a continuous arms race between cyber security professionals and attackers. The cloud is now extending that arms race into new dimensions. To stay secure, companies have to be fast-paced and stay pro-active. This involves a change in mindset.
Proactive mindset the key to cyber prevention
But what practical steps should your company take to avoid a similar breach? Most important is, don’t wait for a cyber security alert: look into new ways of detecting any breaches that may already have occurred.
And don’t rest easy. If you are a major corporate, it is safest to assume you are constantly being attacked—and that some attacks will succeed.
Four-step process to mitigate risk
To mitigate and manage similar cyber security risks, we recommend a cyber response process built around four key steps:
This four-step process is built on a methodology put together by Gartner, called the ‘Continuous Adaptive Risk and Trust Assessment’ (CARTA). Gartner provides a great 60-minute introduction to this approach, accessible with registration.
To stay secure, though, the key will always be vigilance. As companies move more functions and databases into the cloud, malware designers will refine their attacks. A continuous re-assessment of cyber prevention tactics will prove the most effective strategy in this ongoing cyber arms race. Talk to Roger and his team of experts today on +61 2 9409 7000 to find out more about protecting your business.
By Roger Carvosso, Product and Innovation Director
Globalisation, new technologies and digital business models are transforming the supply chain. Many businesses rely on organisations and individuals in different regions or countries to own the processes, materials or expertise used to provide a product or service.
However, malicious individuals or groups are increasingly aware that any supply chain is only as strong as its weakest link. If just one participant in a supply chain is lax about security, all businesses and individuals involved may be at risk.
Malicious parties may exploit weaknesses to steal valuable intellectual property, disrupt the creation or delivery of products and services, or threaten businesses or individuals for financial gain.
The United States National Institute of Standards and Technology (NIST) highlighted the importance of a cyber-secure supply chain in its Cybersecurity Framework. The latest version of the Framework – which provides voluntary guidance for organisations to better manage and reduce cyber-security risks – incorporates additional descriptions about how to manage supply chain cybersecurity.
Furthermore, a recent KPMG report points out “organisations that understand and manage the breadth of their interconnected supply chains and their points of vulnerability and weaknesses are better placed to prevent and manage issues.”
So what measures businesses can take to reduce cyber-security risks to their supply chains? Here are some steps that business owners and managers may consider taking:
By implementing these and other measures through a comprehensive supply chain cyber security plan – that is itself part of an integrated approach to cyber security and physical security – businesses can minimise the risk of infiltration and compromise by attackers. If you would like to learn more, please contact us at firstname.lastname@example.org.
By Simon Ryan, CTO