Despite all this effort, however, Marriott can look forward to months or even years of legal wrangling and ongoing public scrutiny of both the breach and its aftermath. Still, there’s little doubt the world’s largest hotel group will survive this attack, as have Target, Home Depot and other large companies before them.
The story may be different for small and medium enterprises. In these companies most employees from the top down wear lots of different hats. So it’s little wonder the risks around data security and cyber threats faced by SMEs are often misunderstood or even overlooked altogether.
A recent poll of small and medium-sized businesses in the UK shows more than eight out of ten don't see cyberattacks or data loss as a significant risk for their business. The survey of 1,000 SMEs carried out through OnePoll indicates one in three SMEs don't see personal information stolen as a result of a cyberattack or fraud as a data breach, according to Chris Mallett, broking manager for insurance company Aon, which commissioned the research.
This is especially troubling considering the liability which companies of any size may face under the new EU General Data Protection Regulation. The GDPR drastically increases potential penalties on companies found to have misused or mismanaged their clients' personal data.
"I don't think companies realize how awful the impact of a breach can be," says Dr. Emma Philpott from the UK Cyber Security Forum. "It involves everything from mandatory reporting to keeping affected customers or clients informed. It's not just about replacing laptops or paying a fine."
Simple Solutions
Yet SMEs tend not to make cyber security a priority, with one in five respondents in the Aon poll saying they have no plans to invest in it in the coming year, says Mallett. "The risk presented by non-compliance with GDPR has the potential to bring a small business to its knees," he warns.
"The big data breaches in the press help to raise awareness but they can also cause data breach fatigue; a sense that the time, cost and high-end security to tackle this is complicated and overwhelming," Philpott adds. "It is not always about high end security. It's about having the basics in place to protect you from indiscriminate attacks. Educating staff takes time but doesn't cost anything at all."
Even small businesses with limited resources have cost-effective options for heightening their cyber-readiness, according to Kevin Rubin, president and chief operating officer at Stratosphere Networks, an IT managed service provider based in Evanston, IL.
"Lower cost solutions that proactively oversee security and are geared to assist small businesses have become available," Rubin says. "Companies that don't want to spend anything on IT security can implement strict data handling policies and remind their team about the importance of proper e-mail handling. Keep in mind that simple things like updating operating systems and leaving your local firewall on can be game changers."
Employees who have a business computer or smart device should only use that device for business activities, Rubin advises. "Tech for personal use should be kept separate," he says. "And just because someone is working from home doesn't mean they can't follow corporate security practices or policies."
Other easy steps, according to Mallett, include ensuring that anti-virus software is installed and up to date on all employees' computers and laptops. And above all have clear policies in place across the organization. More than just deploying security technology, experts say human actions and awareness of vulnerabilities are key to creating a culture of security-mindedness in the workplace.
