The challenge of securing America after the Marriott hack

Marriott recently confirmed a four-year data breach that exposed 500 Million user accounts to hackers – including a severe degree of breach for 327 Million customers. How severe?

“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.  For some, the information also includes payment card numbers and payment card expiration dates”

This breach is more significant than others past, as it provides hackers with everything necessary to clone or steal millions of identities. It’s also indicative of a problematic future that we face, as companies collect more and more of our personal data – in an attempt to target products and services.{mosads}

In the past year we’ve seen hacks and attacks impact major companies, credit bureaus (don’t forget the Equifax hack from last year that compromised 130 million Americans) as well as energy and Government agency systems.

If you add social media into the mix – 50 million Facebook accounts were not only hacked, but put up for sale on the dark web. Oh, and your private messages? 81,000 Facebook accounts that were breached, also have their messages up for sale.

The Homeland Security Foundation, as well as a number of State and Federal agencies have underscored the need for increased offensive measures for both Corporate and Government agencies – which to date have fallen on deaf ears.

Why?

The average cost of a data breach is $3.62 Million with 1,579 disclosed breaches in 2017 and 75 percent of those attacks coming from outside the organization. However most companies’ cybersecurity budget is less than 10 percent of their total IT budget.

Companies that are more focused on the bottom line of containing IT costs are the most likely to experience a breach due to a failure to audit, protect or remedy issues – even after a breach.

Cyberattacks, however are not abating.

The United States Defense Intelligence Agency has underscored that Russia, Iran, China and North Korea are the biggest threats to our Energy Grid, Social Media and Corporate and Government agency safety.

Let’s also not forget that ISIS and decentralized terror organizations like Al-Qaeda in the Indian Subcontinent (AQIS) and related terror groups still pose both hacking and ideological threats.

With multiple facets of our society placed at risk, we need to be looking at Cybersecurity as the number one issue for both personal and national security.

So what can we do?

The State of NY mandated a CISO (Chief Information Security Officer) and a yearly audit for all financial firms in NY state – but that only focuses around 3,000 companies.

Organizations like the NJCCIC (The New Jersey Cybersecurity and Communications Integration Cell)  that provide threat assessment and track new types of hacks and risks need to be replicated on a state level.

Companies need to be held accountable for their failure to secure critical customer information. The EU passed GDPR (The European General Data Protection Regulation) which will most likely cause Marriott heavy fines due to the breach affecting global customers.

In the United States, a GDPR-like law might be less effective, as we need a more carrot than stick approach to get companies compliant. State-level audits and subsidies for at-risk industries like energy could be a start.

The Department of Homeland Security has begun offering grants up to $800,000 for Blockchain related startups to present anti-counterfeiting measures.

Blockchain technologies have the potential to increase security, resiliency and consumer safety for companies. However, the adoption curve will take some time, as enterprise blockchain solutions will require CIOs (Chief Information Officers) and CSOs (Chief Security Officers) to look outside their comfort zone.

Securing America, Social Media and your data in corporate hands will take a mixture of policy, technology and change, in order to succeed. The challenge after Marriott – will companies and government agencies heed the call?

Oz Sultan is CSO of the Big Data and Blockchain consultancy Sultan Interactive. He has been published in US Army Cyber Defense Review and was a Cybersecurity adviser to the 2016 Trump Pence campaign. You can find him on twitter at @ozsultan