Background: Data Lemons

“When Marriott International acquired Starwood in 2016 for $13.6 billion, neither company was aware of a cyber-attack on Starwood’s reservation system that dated back to 2014. The breach, which exposed the sensitive personal data of nearly 500 million Starwood customers, is a perfect example of what we call a “data lemon” — a concept drawn from economist George Akerlof’s work on information asymmetries and the “lemons” problem. Akerlof’s insight was that a buyer does not know the quality of a product being offered by a seller, so the buyer risks purchasing a lemon.” Harvard Business Review

Overview

Learning Pool is a full-service e-learning provider, offering a range of courses, tools and content creation.

Since 2006, Learning Pool has grown from a modest team of five to a market leader in the e-learning industry.

Today it employs over 450 people across its 9 offices around the UK and USA. It has more than 1,400 customers around the world and supports 5.1 million learners in 30 countries across 42 different languages. The company’s clients include HubSpot, Tearfund and InterContinental Hotel Group.

Why Learning Pool chose Vertical Structure

Learning Pool deals with sensitive, private information. Security is a top concern for Learning Pool and its customers, especially around information security.

It has recently made its fifth acquisition which means it has to be confident of the resilience of its newly acquired technology too.

Vertical Structure has a long standing relationship with Learning Pool and has provided cyber security consultancy to the team since 2012. From the outset, Learning Pool was impressed with how Vertical Structure took the time to understand its applications.

The Vertical Structure team consists of qualified and experienced practitioners in AWS infrastructure (AWS Consulting Partner), security & penetration testing, and delivering clear and actionable reports.

The solution

Vertical Structure regularly carries out manual and automated penetration testing on Learning Pool’s applications and on the technologies it has acquired. Application testing is aligned with industry standards such as OWASP and identifies, and classifies, issues within an application. This provides a full picture of the associated risks and actionable remediation advice.

Results

Vertical Structure delivers independent assurance that Learning Pool is taking the right steps to ensure the applications are secure.

How we can help you

Due diligence is the investigation by one party into the business and assets of another party, typically its contracts, finances, people and customers. But to avoid, or fully account for, potential post-transaction risks, fines and costly remediation, cyber and data security need to be included in the process.

Has an application been compromised? We can:

Investigate deep and dark web exposure. ALSO that of suppliers, contractors, subsidiaries, and other third parties.

Is a technology vulnerable? We can:

Examine systems for exploitable vulnerabilities, bad or unusual behaviours. Gauge employee awareness with social engineering exercises. Will provide a measurable insight into the real-world risks a company faces.

What is the nature & risk profile of data? We can:

Identify information security risks and governance, technology.