Not such a jolly holiday. What Butlins teaches us about the death of security awareness

It was hi-di-hijack for Butlins recently, when it was revealed that up to 34,000 guests at its resorts may have had their personal information stolen by hackers. The data in question included names, home addresses, contact details and holiday arrival dates.

While the holiday chain stressed that no financial details were at risk, the data compromised leaves the not so happy campers open to identity fraud.

The personal data stolen from Butlin’s could be very useful for criminals conducting identity theft,” warns Rob Shapland, Principal Cybersecurity Engineer at Falanx Group. And the scope for reputational damage has made their incident response journey no picnic. After setting up a dedicated team and web page to respond to the incident, a red-faced Managing director Dermot King emerged to “apologise for any upset or inconvenience this incident might cause” and assure press and customers that “Butlin’s take the security of our guest data very seriously and have improved a number of our security processes”.

Too little too late? Possibly. By the time the statement had been released, the cybersecurity world was already ablaze with speculation about what could have caused the attack. The answer, it turned out, was phishing. Phishing: the age old problem that is still flooring businesses hook line and sinker, even as the sophistication of threats evolves to include AI algorithms and machine learning. And when the phishing economy is “like that of a gold rush” with prospectors ranging from “minnows (who) enrich larger predatory outfitters selling kits and infrastructure” to sharks who operate with the streamlined efficiency of the largest organisations, there is an ocean of opportunity for companies to slip up.

“Phishing is one of those things that’s always going to be a problem, because humans are never going to get more sophisticated”, says the Director of Innovation of an international gaming platform. “you can hone machines. You can’t hone humans”.

Training solutions have till now been the popular answer. But as well-intentioned business open the purse-strings to invest in solutions, employees become as swamped by phishing training exercises as they do by actual phishing threats. There is now debate in the market about whether phishing training solutions actually have a negative effect on employee morale and stress levels, ironically leaving them more likely to click on a phishing link. When that happens, as Butlins found, the fingers are quick to point at potential flaws in the approach to security training.

“The breach perhaps shows that Butlin’s processes and training may not be sufficient”, was Shapland’s damning analysis.

Even training solutions providers are admitting that security awareness alone is not enough. Phishing training vendor Cofense’s recently launched SOAR platform now “couples human intuition with leading-edge technology to find and eliminate active phishing threats”. The product uses automation to streamline response and eliminate the need for repeated actions, reducing the need for resources…and for employees to be consistently on the ball….

Our obsession with training was a holiday romance, and as experts calculate that the sensitivity of the data compromised in the Butlins breach may well have a sizable impact on its bottom line, it’s coming to its end. If humans are the weakest link, maybe it is time to bypass them altogether as part of the defence line, and enhance awareness with AI. Because when it comes to proactive cyber-resilience, there is no time to take a break.

image credit:

Related posts

Your thoughts