Why the Latest Marriott Breach Should Make Us "Stop and Think" About Security Behaviors
Marriott International has experienced their second data breach after two franchise employee logins were used to access more than five million guest records beginning in January. Contact details, airline loyalty program account numbers, birth dates and more were collected -- but likely not Bonvoy loyalty account numbers, PINs or payment information.
As noted, this is the second breach that Marriott has undergone in recent times, the first being through its acquired Starwood brand of hotels back in 2018 when it lost a large amount of personal information relating to its customers. So here we go again. While this breach may not be as serious this time around, the big question is what will this do for customer trust in Marriott’s brand and reputation.
“Fool me once, shame on you, fool me twice, shame on me” comes to mind.
Most organizations who have gone through a breach review their security procedures and policies – no one wants it to happen to them again – traditionally extra funding is provided to deal with necessary remediation, which of itself can run into millions of dollars when, at the most basic level, funding a personal information monitoring service for victims along with the inevitable fines and cost of brand rebuild are taken into account.
Therefore, the issue that Marriott will need to address is how did this happen again, within a short period of time of the last breach and for some, particularly those accustomed to the European GDPR notification period, the question may also be and why did it take a month from discovery for Marriott to notify those affected?
Well the answer to the second question is simple, the U.S. has no national data breach notification requirement, and the patchwork quilt of 48 state laws that exist typically require notification within 30 to 45 days – this is clearly quite a bit longer that the mandatory 72-hour GDPR breach notification period in Europe. As for the bigger question of how did it happen again, well only time will tell, but for me this highlights a key challenge for many organisations, not just in the hospitality sector, namely that of how do you secure your third party suppliers?
The breach occurred at one of Marriott’s franchise properties by accessing the login credentials of two employees at the property. From a security standpoint this shines a light on two key challenges for security professionals today: the third party supplier and awareness about the insider threat. Unfortunately, third parties are becoming more of a vulnerability than ever before.
Organizations of all sizes need to think about the consequences of a trusted third party, in this case a franchisee, providing accidental, but harmful, access to their corporate information. Information shared in the supply chain can include intellectual property, customer or employee data, commercial plans or negotiations, and logistics. To address information risk, breach or data leakage across third parties, organizations should adopt robust, scalable and repeatable processes – obtaining assurance proportionate to the risk faced. Whether or not this was the case with Marriott remains to be seen.
Supply chain information risk management should be embedded within existing procurement and vendor management processes, so supply chain information risk management becomes part of regular business operations. Will this also help address the insider threat? Well it should certainly help raise awareness but the reality is that the insider threat is unlikely to diminish in the coming years. Efforts to mitigate this threat, such as additional security controls and improved vetting of new employees, will remain at odds with efficiency measures.
Organizations need to shift from promoting awareness of the problem to creating solutions and embedding information security behaviors that aﬀect risk positively. The risks are real because people remain a ‘wild card’ and our businesses today exist on sharing of critical information with third party providers.
Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure ‘the human element’ of information security. In essence, people should be an organization’s strongest control. Instead of simply making people aware of their information security responsibilities and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in “stop and think” behavior becoming a habit and part of an organization’s information security culture.
While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the commercial driver should be risk, and how new behaviors can reduce that risk. For some, that message may come too late and it may take a breach or two to drive the message home.
The real question is for how much longer will consumers accept that the loss of their data is a cost of doing business before voting with their feet and taking their business to more trusted providers?
About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.Copyright 2010 Respective Author at Infosec Island via Infosec Island Latest Articles "https://ift.tt/3bX0S1F"