To me, the most shocking fact about the Marriott International data breach isn’t the number of customers affected (500 million) or the kind of data that was stolen (personal and booking information).
The most shocking aspect of this breach is that it went undetected through four years and one due-diligence process.
Whatever the cause of the breach, the fact that it flew under the radar for so long tells me that securing customer accounts was not the number one priority for Marriott’s board and CEO. They had other things on their plate — merging with Starwood, integrating three loyalty programs, rolling out a new reservations system, dealing with the largest ever strike by hotel workers.
Now they’re also facing down a security mess caused by their own negligence:
- Short-term and long-term costs such as remediation, fines, lawsuits, and customer outreach. Estimates are in the range of $1 billion, which is 5% of their 2017 revenue (Bloomberg).
- Significant customer attrition resulting in huge revenue loss
- Drops in stock price. The day of the breach announcement, Marriott’s market cap went down by $1 billion, a 5% drop (New York Times).
- Damage to the brand reputation that will take years to recover from
These costs may not sink Marriott, but overall impact of the breach will be long-lasting. And it could have been avoided. The hotel industry, and Marriott in particular, has a history of security breaches (Skift) — one would think they would have paid more attention to the problem.
So why didn’t Marriott make the security of customer data a higher priority?
They were focusing on their core function: driving revenue.
The mistake in mindset here is thinking that security is a separate concern from customer service, relegated to an IT department with a limited budget and a lack of expertise.
Security experts are saying that Marriott had more than enough resources to find this breach back in 2015 (Wall Street Journal). But they didn’t deploy those resources.
They must not have thought that safeguarding customer information was important enough to their business to warrant the investment.
They thought they could handle data security issues in-house instead of bringing in more experienced experts and specialized tools.
Unfortunately, they were wrong.
What must companies do to avoid data breaches like Marriott’s?
1. Develop a security-centric culture at the top level.
When the security of customer identities and profiles is priority number one, every decision and initiative takes that security into account, particularly at the CEO and board level.
Many companies have compliances and security practices, but a security-centric mindset ensures a serious approach to customer data security. The approach should be top-down instead of bottom-up, with responsibility resting with the CEO and board.
2. Stay ahead of the security curve.
Companies need to continuously research cutting-edge security technology and adopt it quickly.
Hackers are innovators, using the most modern technology and inventing new ways to gain access to customer data. However, most Fortune 1000 companies lag behind when it comes to technology. It’s okay to be cautious in adopting innovations, but when it comes to customer data security products, companies should be proactive, constantly reviewing and trying new developments to stay ahead of hackers.
An example that comes to mind is that of Elon Musk and his team at Tesla. They have monthly meetings to discuss new battery technology. They are constantly watching all the players and researching to make sure they’re ahead of the curve. For Tesla, a new battery technology player could be a big threat. Companies need to treat customer data security the same way.
3. Make your security spend for customer data security unbudgeted.
The board and CEO should send a clear message to their security team: “Invest whatever it takes to protect sensitive customer data.” Yes, stay within your financial metrics, but don’t cap the budget, because capping it means you’re compromising. Give the security team whatever they request to protect the brand. It’s not going to cost billions of dollars, but lifting any restrictions allows the security organization to be open-minded and embrace new technologies quickly and easily.
4. Recognize that customer data security is not a cost center but a revenue center.
Security is traditionally considered a cost center and that mindset is at the very root of breaches like Marriott’s. Companies need to understand that customer data security is part of the revenue center, not the cost center.
With better security, you are not only preventing the breaches that impact customer churn but you are also building trust within your customer base to attract more business, thus increasing in revenue.
Let’s hope that Marriott and its peers in the travel industry have learned that, while the security of customer accounts may not be their core business, it still needs to be priority number one.
Originally published at LoginRadius Blog.