Target CEO Gregg Steinhafel managed to hold onto his job for nearly six months after the disclosure that more than 110 million records had been stolen by hackers in December 2013.
Unfortunately for Target, 40 million of those records were credit card details. The total impact of the attack is estimated to be nearly $18 billion.
Without going into the details or reviewing the surveillance footage from the board room, I think there are some valuable lessons to be learned from this attack.
Some folks have become obsessed with the details like network segregation, remote access policies, Active Directory design and other issues that led to this incident.
The bigger issue here seems to be a common one among operators of so-called brick-and-mortar style businesses, mainly that they do not perceive themselves to be IT companies.
Information security is an essential component to operating a success modern business.
While most people think of organizations like Target to be primarily about toilet tissue, T-shirts and tractor trailers, the reality of it is none of that could happen without some of the most sophisticated logistics systems in the world.
When computer technology is being utilized as a way to deliver value to organizations, it usually is closely monitored with an eye towards reliability and efficiency.
Sadly, most often that does not include enough focus on security which can both increase costs and increase complexity.
Customers deserve the same safety and consideration with regard to the security of their electronic identities and financial details as organizations spend on their physical well being.
Stores like Target go out of their way to serve the disabled, provide ample lighting in their parking lots, offer escorts to your automobile at night and have on-site security personnel to ensure you have a safe a pleasant shopping experience.
Of course, these things are all visible. Information security can’t be seen or touched or heard. If corners are cut, perhaps what you don’t know, won’t hurt you.
Executives at organizations the world over should be reading into what happened at Target very carefully.
We are no longer in a time where IT security was the domain of a few geeky employees you stuffed into the basement of your headquarters with the data processing equipment.
It is the responsibility of each and every individual in a company from the janitor to the CEO.
Employees at Target knew things weren’t as they should be. Some complained, some left, others grudgingly got on with things.
Without support from top management, these things rarely get addressed until an accident happens.
Don’t be a Target. If your company isn’t treating your customers’ information with respect, say something.
If you’re in management and not getting the support from your executives you think the problem deserves, speak up.
If you’re a C-level reading this, good for you! I expect you may be concerned about your organization’s information security and reading Naked Security is a great first step.