Marriott’s data breach and the importance of creating a “culture of security”

December 4, 2018

Marriot data breach

Impacting as many as 500 million customers, Marriott’s data breach is one of the largest in history.

While we don’t yet know the root cause of the breach (which impacts hotels within the Starwood Group and is believed to predate Marriott’s acquisition of the group); what surprised many people is just how long the door was left open for the attackers – four years in total!

Unfortunately, when a breach is open for so long, it speaks more to organizational security culture than it does to the technologies put in place to defend the business.

Ultimately, it doesn’t matter how much investment is made into cyber security tools. All of that great work can be undone in an instant if an employee falls foul of a phishing attack, or a Business Email Compromise scam.

It’s why the greatest challenge to security today is employee education.

Employees can put the business at risk by using the wrong workplace tools

Much of the problem also stems from employees being overly reliant on consumer-grade tools for messaging and sharing. Or tools like Slack, which don’t offer end-to-end encryption (E2EE), being used to discuss business confidential information that could compromise the integrity of the network.

Employees love apps like these for their immediacy, and ability to share knowledge and foster greater team collaboration. However, when users don’t understand the security risks sufficiently well, and information falls into the wrong hands and is leaked, or breached, it can result in unhappy clients, reputational damage, and even regulatory action.

One piece of research suggests that 50% of employees incorrectly believed that SMS and landline phone calls were more secure than E2EE messaging apps. 75% also incorrectly believed that information shared via tools which leveraged E2EE could still be intercepted by unauthorized parties.

All of this suggests that enterprise IT teams need to take more time to explain the importance of security, and how employees should be using the right tools for the sharing of confidential information.

A board-level responsibility

But of course, this is really about building a culture of security at the very top of a business.

Not that long ago, a company’s board of directors would meet once a year to be briefed on cybersecurity. The discussion would be brief, and it certainly wouldn’t be strategic.

Today, things have changed. Transparency in cybersecurity is now demanded - not only by shareholders, but by customer and partners.

Of course, we’re not suggesting that the Marriott breach was caused by employee error, a man-in-the middle attack caused by weak messaging technology, or a lacklustre approach to security from a board level. It’s simply too early to know.

However, when 54% of all data breaches are the result of internal employee action, it’ll almost certainly be a line of questioning that Marriott needs to explore.

If the use of messaging technology did play a part, then it’ll be time to look at the apps available to employees (even email), and whether the use of end-to-end encryption is required to improve the secure sharing of information, and avoid man-in-the-middle attacks.

What is the right tool?

For organizations that demand complete security, with full end-to-end encryption to mitigate the threat of many of the most common man-in-the-middle style attacks, Wire Pro is the perfect enterprise messaging and chat solution.

It’s more secure than email, and other messaging apps, and uses end-to-end-encryption, with forward and backward secrecy (so that each new message and interaction uses a new encryption key). This ensures messages are completely secure and protected from man-in-the-middle attacks. Not even Wire has access to the conversations! Start your free trial now.

Back to all posts