AJ Thompson is CCO at Northdoor plc
1st April 2020
The Marriott hotel has confirmed that a second data breach in three years has taken place, this time involving the personal information on 5.2 million guests. The hotel chain learned of the security breach at the end of February, when it discovered that a hacker had used the login credentials of two employees from one of its franchise properties to access customer information from the app’s backend systems.
The risk of attack has never been higher with some notable breaches over the past few years that have impacted companies as diverse as Tesco to Facebook. Most recently we have seen the ICO fine Dixons Carphone for the high profile attack that took place between 2017 and 2018. The company was fined £500,000 for the failure to protect the personal data of 14 million people.
An insider threat is something that businesses need to take into account if they want to keep their customers data secure. Anyone who has insider knowledge and/or access to an organisation’s confidential data, IT, or network resources is a potential insider threat whether they mean to be or not. Indeed, an insider threat doesn’t necessarily mean that the person must be a current employee in the business, they could be a consultant, former employee, business partner, or board member.
An insider threat also doesn’t have to be an employee with criminal intent, but someone who just makes a mistake/ignores security advice and clicks on something they shouldn’t, laying open a company’s entire infrastructure.
The introduction of GDPR has seen levels of awareness from both business and the public rise considerably. The public are now very aware of the value of their data and the importance of its security. The impact of this on businesses means that they are more under the spotlight than ever. Any breach now will be under the close scrutiny of politicians, media and the public alike, meaning that along with a huge fine, companies now face a huge dent to their reputation.
As the public are aware of the value of their data it will take very little to encourage them to move their preference to a competitor if they lose faith in a businesses’ ability to secure it. This obviously, causes a major issue for companies, especially in the face of a cybercriminal that is increasing sophisticated in their approach to securing access to data.
Whilst regulation is a good thing in improving security, it can in some cases encourage naivety within organisations. Securing adherence to regulation can often be a time-intensive process, which can lead to a ‘tick-box’ mentality. Unfortunately, by the time regulations are introduced the cybercriminal has already come up with new ways of penetrating the vulnerability the regulation was meant to cover.
Businesses, therefore, need to remain proactive in their approach to security and regulation adherence. They simply can no longer sit back and relax after they are compliant but continue to be aware of new threats and solutions that can thwart them. The spotlight on security breaches means that the media, politicians and the public will not care if an organisation is compliant to a regulation or not, all they will see how vulnerable the data is.
It is essential that businesses are not only implementing technologies for compliance sake. To maintain a consistent cyber strategy, businesses need to transform their culture around cyber risk and ensure that each person and process within the organisation is alert and prepared for digital threats.