Many of you may be wondering how can a major, multi-billion dollar organization not have sufficient cybersecurity in place to detect the theft of hundreds of millions of customer details?
The problem with cyberattacks is that they are intentionally designed to go unnoticed for as long as possible. Cybersecurity professionals refer to this as the dwell time, the interval between when an intruder first gains unauthorized access and when they are detected and expunged. The longer an attack can remain undetected, the greater the value the attacker can strip from the target.
There are many statistics about just how long it takes to detect an intrusion, but the hard truth is that these statistics are skewed by the fact that many intrusions never get uncovered. From the intrusions that are discovered, it is clear that such incursions (known as advanced persistent threats) regularly take months to discover and, in numerous cases, such as the Yahoo breach, the dwell time can be measured in years.
In the case of the newly reported Marriott Starwood breach, Marriott appears to have effectively “purchased” the breach. Just like contact with an infected person can spread a disease, integrating a compromised system effectively delivers new opportunities for an attacker to widen the intrusion. When Marriott acquired Starwood and integrated its database, the unwelcome passenger was not initially detected.
The real question is this: could the intrusion have been detected earlier?
Although the specific mechanics of this breach have not yet been revealed, it is possible to look back at similar megabreaches. What they reveal is that stealing hundreds of millions of customer details is not a minor data leak. There will have been signs (or as cybersecurity professionals like to call them; “indicators of compromise”). There would also have been defensive processes and technologies that could have been in place.
Many companies are still underestimating the budget and resources they need to operate cybersecurity effectively. In my opinion, such organizations also underestimate the brand and share value damage that cyberattacks can create, especially when they are not dealt with swiftly and transparently.
When Yahoo discovered and disclosed a megabreach before the company was sold, the impact was hundreds of millions of dollars in reduction in the asking price. If I were a Marriott shareholder, I might be wondering just how much of a discount could have been achieved if the pre-purchase due diligence checks on Starwood had found the breach before the acquisition was made … and then I might be wondering just how much this breach will end up costing, and whether the current management had been strategically directing sufficient resources toward cybersecurity.
Simply having a cybersecurity function is not enough. It is important that each organization is investing in keeping its security personnel, technologies and process up to date. From my own perspective, the complaint I hear most often from fellow ISACA members is that their organizations spread security resources too thinly and fail to recognize just how important it is to adequately invest in staff training and new security technologies to keep pace with evolving threats.