The year would not be complete without a major security breach, and although there are a number to choose from throughout any given year, Marriott ended 2018 with a doozy. The company revealed at the end of November that there had been unauthorized access to its Starwood reservation database for more than four years. This included unauthorized access to travel information, passport numbers, and credit card data — impacting up to 500 million guests who made a reservation at a Starwood property.
Marriott has since been investigating the problem, taking steps to address the issue and offered its apology, but we can’t help but wonder what type of safeguards could have been put in place to prevent this. Security becomes more important every year, and 2018 had a story focus on protecting user privacy and putting proper precautions in place to prevent any incidents.
The Cost of a Data Breach 2018 report was released in July by Ponemon Institute and sponsored by IBM Security, which found the average cost of a data breach is $3.86 million globally and has been increasing steadily over the last five years.
To address the ongoing problem, the U.S. Securities and Exchange Commission (SEC) updated its six-year cybersecurity guidance to provide new rules for addressing and disclosing data breaches.
The European Union’s General Data Protection Regulation also went into effect this year, giving businesses all across the world new perspective on protecting sensitive user data. “For a long time, businesses just collected more data than it needed to and retained it much longer than it should with the hope that someday it is going to provide some kind of value,” said Nigel Tozer, solutions marketing director, EMEA at Commvault. The GDPR was designed to better protect personal data of individuals and hold businesses more accountable to the data they acquire and how they use it. While the GDPR is a regulation specifically in the EU, it impacts anyone who does any kind of business within the EU.
IBM’s chief data officer Seth Dobrin stated he believed GDPR should be treated as a global effort and applied to more than just subjects in the EU. The same month GDPR was put into effect, IBM released its own platform for providing security and compliance capabilities to organizations with the Cloud Private for Data solution.
A couple months later, the California Consumer Privacy Act was announced to address data regulation and privacy. The act is designed to give users the right to know all the data a business collects on them, the right to delete their data, the right to say no to the sale of their data and more. The act isn’t expected to go into effect until 2020.
Other ways the industry tried to maintain security included the Software Assurance Forum for Excellence in Code (SAFECode) updating its guide on best secure software development practices early in the year. The forum announced the Fundamental Practices for Secure Software Development: Essential Elements of a Secure Development Life Cycle Program (Third Edition) in March with recommendations to improving software assurance programs and encourage the adoption of secure development practices.
With more solutions being deployed in the cloud, the Cloud Standards Customer Council (CSCC) announced 10 steps to ensure security for cloud computing. The top steps included securing effective governance, risk and compliance; audit operational business processes; and the ability to manage people roles and identities.
The year ended with a group of security executives getting together at the Infosecurity North America conference in New York City to talk about how organizations can improve the effectiveness of their security programs. While different organizations are going to have different strategies, the executives stressed the importance of being tell if a program is effective and educating the entire organizations on how not to put themselves at risk.