Sophos Cloud Optix
Target CEO Gregg Steinhafel managed to hold onto his job for nearly six months after the disclosure that more than 110 million records had been stolen by hackers in December 2013.
Unfortunately for Target, 40 million of those records were credit card details. The total impact of the attack is estimated to be nearly $18 billion.
Without going into the details or reviewing the surveillance footage from the board room, I think there are some valuable lessons to be learned from this attack.
Some folks have become obsessed with the details like network segregation, remote access policies, Active Directory design and other issues that led to this incident.
The bigger issue here seems to be a common one among operators of so-called brick-and-mortar style businesses, mainly that they do not perceive themselves to be IT companies.
Information security is an essential component to operating a success modern business.
While most people think of organizations like Target to be primarily about toilet tissue, T-shirts and tractor trailers, the reality of it is none of that could happen without some of the most sophisticated logistics systems in the world.
When computer technology is being utilized as a way to deliver value to organizations, it usually is closely monitored with an eye towards reliability and efficiency.
Sadly, most often that does not include enough focus on security which can both increase costs and increase complexity.
Customers deserve the same safety and consideration with regard to the security of their electronic identities and financial details as organizations spend on their physical well being.
Stores like Target go out of their way to serve the disabled, provide ample lighting in their parking lots, offer escorts to your automobile at night and have on-site security personnel to ensure you have a safe a pleasant shopping experience.
Of course, these things are all visible. Information security can’t be seen or touched or heard. If corners are cut, perhaps what you don’t know, won’t hurt you.
Executives at organizations the world over should be reading into what happened at Target very carefully.
We are no longer in a time where IT security was the domain of a few geeky employees you stuffed into the basement of your headquarters with the data processing equipment.
It is the responsibility of each and every individual in a company from the janitor to the CEO.
Employees at Target knew things weren’t as they should be. Some complained, some left, others grudgingly got on with things.
Without support from top management, these things rarely get addressed until an accident happens.
Don’t be a Target. If your company isn’t treating your customers’ information with respect, say something.
If you’re in management and not getting the support from your executives you think the problem deserves, speak up.
If you’re a C-level reading this, good for you! I expect you may be concerned about your organization’s information security and reading Naked Security is a great first step.
I did my undergraduate degree at UW-Eau Claire which is only 1.5 hours from Target’s Corporate head quarters. When the global recession of 2008 hit, Target ended all of their planned internships, froze all hiring and actually released everyone who had been hired at Target with information systems degrees in the previous 1.5 years.
It sounds to me that Target slashed their corporate budgets when the recession hit and probably never resumed re-budgeting for security. From what I understand, fireeye told them they where probably compromised but they did nothing to investigate the issue.
I think the problem is much more fundamental. From what I’ve heard, Target actually does take information security pretty seriously and spends millions per year on a dedicated security team and the latest in intrusion detection. The actual problem lies in the poor availability of high assurance systems in the marketplace. When the vast majority of networked systems run on OSes that place security at the very bottom of priorities such as Windows and Linux (yes even Linux), it shouldn’t be a huge surprise that we frequently hear about breaches and major vulnerabilities on the news. If anything, hopefully breaches like the one Target experienced will provide a business incentive for companies to start offering products that integrate security from the very beginning.
Related to Andrew’s point, it’s always shocked me how many long-term production systems like POS terminals, industrial equipment, or medical/scientific equipment is run on Windows. If I was designing a system like that, I’d rather start out with BSD. Long-use hardware shouldn’t be run off short-term operating systems, and you may as well start out with a secure base.
One doesn’t build an indomitable fortress on swampy ground if one wants it to be around in another couple decades.
“One doesn’t build an indomitable fortress on swampy ground if one wants it to be around in another couple decades.”
Every OS is insecure, all it takes is incentive for it to be hacked. If there is enough profit to be made then criminals will quickly turn any OS into a quagmire
When heads roll, it should be the heads actually responsible for the problem. Some were happy when the CIO resigned, but I wanted to know whether the CIO actually caused the problem or not.
If the trench workers told the CIO and it stopped there, then the CIO was at fault. But, if the CIO told the CFO, and the CFO was the one who broke faith with Target’s customers, then the CFO should leave. Etc. Perhaps more than one person was in the chain of failure.
While it is possible that the CEO was where the buck stopped, I’ve seen no evidence of that.
The bottom line is that we still don’t know where the ball was dropped or why. THOSE are the places where change needs to occur. Having your CEO resign makes for good press, but it doesn’t always solve the problem.
And other companies need to take note: Profits are not high enough to allow this kind of risk to be taken. Target bet on insufficient security, and lost. They were probably thinking of it as a 5-to-1 or 10-to-1 bet or something like that.
In reality, it was probably in the thousands-to-1. They now have to fix the problem (i.e. spend all the money they refused to spend earlier), and also pay restitution to their customers. And all that while revenues are depressed due to scared or angry customers.
The message to other companies? If you “can’t” afford security, then you can’t afford to be in business. It’s just that simple.
according to wire reports the chastened exec will have to make do with a mere $50 MILLION (est) buyout. #WhattaCountry
source:
[link removed – editor]
> According to the company’s most recent proxy statement, from April of 2013, Steinhafel has knocked down average total compensation of nearly $21.5 million in each of the past three years. His base salary has been $1.5 million in each of those years, and the bulk of his compensation is due to stock, option and other grants and payments. When the new proxy statement is released, we’d look for a buyout of around $50 million.
After the news broke, heading into the Christmas shopping season I was shocked that the CEO was not out in front of this in a media blitz. Perhaps he didn’t know the details at the time, but I reflected back on the prototypical response taught in business classes about how Tylenol performed during their cyanide tampering incident.
Target had all of the media buys in place to assure the public that they were taking this seriously, and would make sure no customers were permanently harmed and that they would do everything they could to make sure it wouldn’t happen again. The CEO should have been right out in front explaining this to the best of his ability, with all of the information appropriate to release to the public. Instead, I saw dozens of ads promoting their products and Christmas, etc. — as if nothing was wrong. Sure nobody wants to hear about information security during the (supposedly) joyous holiday buying season — which I am confident supplies a good portion of Target’s yearly revenue. By attempting to (at least publicly) sweep this under the rug, their decrease in customer base may have become permanent.
Excellent story, except for the praise given to Target by saying, “Stores like Target go out of their way to serve the disabled.”
Statements like this should be verified before they go to print.