“As part of the FTC’s and state attorneys general’s decisions, Marriott will continue to implement enhancements to its data privacy and information systems, many of which are already in place or underway,” the statement said. “Protecting guests’ personal data remains a top priority for Marriott. These decisions confirm the company’s continued focus on investing heavily in maintaining and evolving its programs and systems to assess, identify, and manage risks from cybersecurity threats.”
Punishments are not enough, say experts
Roger Grimes, a security evangelist at cybersecurity training firm KnowBe4, warned security managers not to think that Marriott’s problems, which were largely caused by sloppiness and cutting corners, are unique to hotel chains.
Don’t think that Marriott is “an exceptionally bad company that abuses cybersecurity controls when most of the world is doing everything right. Many organizations have major gaps in their cyber security controls. Many do not do many basic things correctly. “Marriott is far from the typical bad actor,” Grimes said. “A lot of companies are doing cybersecurity controls like Marriott does, which is to say, they may be doing a lot of the right things, but also a lot of gaps and a lot of controls that aren’t being implemented properly. Cybersecurity is often talked about as something we need to take seriously, but in reality, most organizations have gaps big ones.”
Source link