On November 30th 2018, Marriott Hotel Group admitted an enormous data breach concerning 500 million clients, the second biggest ever after Yahoo’s disastrous case in 2013. The news had global resonance, but less memorable episodes are being reported almost daily concerning cybersecurity. Regardless of their dimensions, data breaches have an essential impact on businesses concerning costs, reputation and regulatory compliance, particularly after new EU General Data Protection Regulation, best known as GDPR, entered into force.

It might be argued that companies are not investing enough for cybersecurity, but a research report from Bromium suggested that the average large enterprise spends more than USD 16.7 million per year on security. The problem is not budget, but how to allocate available resources and define a comprehensive, effective approach to data, applications, and systems protection.

Cybersecurity programs should start with an assessment to better understand the organisation’s weaknesses and orchestrate the best possible plan to address them. Ongoing activities should then include structured vulnerability management processes: once you have identified potential threats affecting your IT infrastructure, mission-critical IT services or any other relevant business asset, corrective and precautionary actions should be scheduled and regularly performed.

Public-domain registers report about 14 thousand vulnerabilities each year, so it’s easy to understand that a good number might impact your company and your systems. Continuous monitoring is fundamental to keep defences high. Typical failures include missed software updates, wrong or altered application configurations, unauthorised user behaviours.

A mature, resilient organisation can be recognised from the quality of its cybersecurity plans, and analysts point out the existence of vulnerability management policies among the criteria to be spotted. This was one of the main reasonings to file the class-action lawsuit against Marriott: why wasn’t the breach caught sooner? Did the company have appropriate vulnerability monitoring and mitigation processes? The accusation was such sharp that Marriott International announced the intention to pay for customers’ new passports if they could prove fraud following the large-scale data breach.

Cybersecurity has thus become a big issue for businesses of any size, and vulnerability management cannot be treated as a secondary, painful activity. Resounding cases – such as Marriott’s – demonstrate it should be among top priorities for any IT department.