How Target Should Have Handled Their Breach

The security breach at US superstore, Target, is one that will go down in history.  In addition to the 40 million customers whose card data was stolen, it has been announced that another 70 million customers have had their personal information such as names, email address and phone numbers stolen.

Totalling a staggering 110 million data record losses, this breach is looking to break some records of largest fines given to an organisation.  A recent Ponemon report revealed that Target could be looking at costs pf around $680 million, and that’s not including other costs such as reputational cost and drop in share prices.

So how have Target handled this breach? Actually, not very well.

For example, it took FOUR days for Target to make the public aware of the breach. For an organisation as large as Target, four days is a very slow response time. The CEO of Target, Gregg Steinhafel, has given information on why it took four days to bring the public up to speed:

  • Day One: Issue was discovered and necessary actions were taken to make sure environment was safe
  • Day Two: Investigation and forensic work
  • Day Three: Preparing our stores and call centres to ensure they’re ready for that upcoming announcement
  • Day Four: Notification

Whilst this may seem like an appropriate list of tasks, it shouldn’t have taken so long as this means that Target had left their customers vulnerable to card fraud.

What should they have done?

Target have a long list of competitors, so it’s important that any information they release is accurate otherwise they risk getting it wrong but end up sending their customers to the competition. This could possibly delay the amount of time it took to go public, but it still isn’t a good enough reason for why they took four days.

To me, this four day period suggests that Target didn’t have a business continuity plan which took this form of attack into consideration. For a company as large as Target, not preparing for a cyber attack has the same amount of risks as not going out with an Umbrella during a British winter.

How can you know what to prepare for?

As shocking as this may be for you, it’s impossible to see into the future, however, you can prepare for it. Effective business continuity is looking at an organisation and listing everything that could go wrong and then putting a plan of action together for each of those things.

You can’t associate business continuity with just bad weather or a power cut, you have to think of everything.

Water pipe? That could burst, plan for it. Underfloor heating? That could set on fire, plan for it. Only road leading to your warehouse? That could undergo road works, plan for it. And in Target’s case, customer payment card data? That could be stolen, plan for it.

This sounds like a big plan

That’s because it will be, but imagine the excitement that will take over when something you’ve planned for has gone wrong and you know what to do. Okay, so it wouldn’t be exciting as such but at least you’ll know how to minimise the damage.

The most effective way to ensure that your business continuity plan is effective, is by going down the route of ISO 22301.

ISO 22301 certification is a subtle way of saying “Come at me disasters”.  ISO 22301 is the internationally recognised standard for the requirements for a Business Continuity Management System (BCMS). Unlike a business continuity plan, an ISO 22301 aligned BCMS grows with the organisation and requires regular testing.

If Target were certified to ISO 22301, then they would have been much quicker at informing the public of what had happened.

A Manager’s Guide to ISO22301 is a concise and practical guide to the ISO22301 benchmark for business continuity management. Reading this book will equip you with the knowledge of how to implement an ISO22301 certified BCMS into your organisation.

There is a free sample available of this book available to you on the product page