Another day, another data breach. This past Friday Marriott International revealed that hackers had breached its Starwood reservation system as far back as 2014 and had stolen the personal data of up to 500 million guests. In the aftermath, Senator Ed Markey of Massachusetts described data breaches as "a black cloud hanging over the United States' bright economic horizon." So black that another Senator, Ron Wyden of Oregon, went on to declare that "until companies like Marriott feel the threat of multi-billion dollar fines, and jail-time for their senior executives, these companies won't take privacy seriously."
This is an astonishing role reversal for a company that is itself the victim of a sophisticated, and possibly state-sponsored, hacking campaign. Unmentioned are the actual criminal and/or state actor(s) who perpetrated it. While there is no doubt that corporations, such as Marriott, bear a moral, legal, and ultimately financial responsibility to protect the privacy of their customers, threatening companies and executives with multi-billion dollar fines and jail-time is unlikely to accomplish anything in the way of preventing future breaches.
This is because of the asymmetrical advantage of effort and information an attacker has over their targets. In the specific case of Marriott, a multibillion dollar enterprise, it's hard to argue that the company lacked the personnel or resources to at least attempt to defend their network. Yet even if they’d had an infinite amount of resources, it is simply impossible to defend a network with 100 percent efficacy, 100 percent of the time, when their adversary need only get it right once. Today, the breach is not the point of failure, but the response is. In the aftermath of this breach, just like breaches past, the perpetrators are unlikely to face any consequences while Marriott will do what is prescribed by the law – notify regulators and customers, provide credit monitoring and identity protection services, and pay any resulting fines and penalties. In other words, unlike the actual perpetrator, Marriott will bear the prescribed consequences of their failure to protect their customers' data.
This breach once again raises the question of who should be responsible for protecting corporations and consumers from cybercrime. After all, most corporations don't spend an inordinate amount of time defending the land, sea, and air around them. That's historically been the role of the armed forces and law enforcement. Yet in the fourth domain, cyber, the government has all but said "you're on your own."
As things now stand, businesses need to think about cyber attacks not in terms of if they will happen, but in terms of when. If Marriott can’t prevent a data breach, how can any other business be expected to? While this data breach will likely cost Marriott hundreds of millions of dollars, they will survive precisely because they are a large corporation with the resources to recover. Small and mid-sized corporations aren't always so fortunate, and a security failure of similar magnitude can be existential.
This is why we founded Coalition. While working within the US Intelligence Community, many of us saw firsthand how corporations sit at the frontlines of cybercrime and warfare. Yet, by and large, the government wasn’t equipped or enabled to do anything to prevent it. At Coalition, we are. We are changing the way companies manage cyber risk by democratizing access to cybersecurity tools and data to prevent loss, offering free mitigation services when incidents do occur, and providing up to $10M of comprehensive insurance coverage backed by one of the world’s largest reinsurers to help companies financially recover in the event of a loss. For us solving cyber risk doesn't mean solving cybersecurity failures, but instead helping companies to survive them.
The result of this approach is far fewer breaches, far less cost to detect, contain, and recover when an attack occurs, and the safety net of insurance to make a company whole again when the worst happens. And as our customer base grows, so does the scale and efficiency of our efforts. After all, there is safety in numbers.