It has yet to happen, but a large-scale cyber attack could cripple the nation’s business systems. Even a small organisation can be the entry points for hackers.
The high cost of making assumptions in business: the Target breach analysed
I had the pleasure of interviewing Neira Jones, a PCI DSS and information security guru, blogger and a former Director of Payment Card Security at Barclays (see You-Tube: Neira Jones on Cyber Security, PCI DSS & ISO 27001).
In her recent talk at our hosted event held at the Churchill War Rooms in London, Neira drew attention to the Target breach as an object lesson for CEOs and anyone who cares about their organisation’s reputation in the market.
One of Neira’s slides from her talk featured senior management’s missed opportunities to catch the problem before the brown stuff hit the fan. For example, the warnings by the US Federal Government and private research firms regarding the targeting of payment terminals, requests from their own staff for a review of payment card security (seemingly brushed aside), an unfortunate update of payment terminals just before Black Friday that may have distracted managers and security staff, the knowledge of a significant ‘up-tick’ in malware trying to enter their system, and – finally – news from federal investigators that the breach had occurred. Even then, Target was not aware of the problem.
Who really needs cyber security standards – apart from those organisations that have already been breached by cyber criminals to the tune of millions of dollars?
Target’s Board presumably thought that they had all this in place back in 2013, and that their security controls were working to prevent and mitigate breaches. Before the overhaul, information security functions were split among a variety of executives. Target’s new chief information security officer will centralise those responsibilities, the company said in comments reported by the New York Times. This is a pattern that we often see when a breach has occurred: an awakening to just how fragmented the approach to information security has been in the past.
Target breach: did the Board make assumptions that they now regret?
In several ways, it’s a textbook case that every Board should study.
Target officials acknowledged in the months following the breach that warning signs of computer hacking had been missed in the weeks before the attack was made public. The disclosure, made in December in the final days of the holiday shopping season, revealed that the payment card data of some 40 million Target customers and the personal data of some 70 million had been exposed by the breach. Around 12 million people are thought to have both their payment and personal data compromised. The effects on the business were certainly dramatic: Target’s stock dropped sharply in January and February, as the financial impact of the breach proved significant. On Monday, 5 May 2014, Target announced that its Chairman, President and CEO, Gregg Steinhafel, was stepping down:
Target’s breach was extremely expensive. How much would better information security and robust plans for achieving business as usual (cyber resilience) have saved the shareholders? I will leave the precise answer to forensic investigators, accountants and lawyers. What is certain, however, is that the ill effects of a cyber crime in 2013 continue to trouble the retailer. Target is still grappling with the fallout of the theft. The company said last week that its profit for the fourth quarter fell 46% on a revenue decline of 5.3% as the breach scared off customers.
Business as usual – or continuing adverse impact on trust levels/sales volumes?
While Target said that sales have been recovering since it disclosed the breach in mid-December, the company expects business to be muted for some time. It issued a profit outlook for the current quarter and full year that was below Wall Street estimates. When the final tally for the cost of this incident is in, Target’s breach may eclipse the biggest known data breach at a retailer, disclosed in 2007 at the parent company of TJ Maxx, which affected 90 million records.
There has been much lively discussion about what really caused the Target breach and the finger of blame has pointed in a number of different directions.
I wonder, though, if you could travel back in time to when the consequences of the massive cyber attack were first coming to light and could ask Mr Steinhafel then what he thought of Target’s cyber security, would he have responded as directly as he reportedly did a few weeks later in a comment on a company blog?
“In the weeks ahead, we hope to understand more about how this attack happened. And will use what we learn to inform our guests, make Target a safer place to shop and to drive change across the broader retail industry.”
[Source: Target’s Chief Information Officer Resigns, The New York Times, 5 March, 2014].
Doing the right thing about IT security (as opposed to resolving to do something).
It is hard to live in the modern world without being aware of the cyber threat, but deciding what to do about it can be a daunting task in itself. In an early episode of the Apprentice, Alan Sugar berated his prodigies and shouted at them, “I want doers, not strategists”. Assuming that your Board has the strategy under control, how do you actually implement better cyber security to prevent or at least mitigate the risk of a massive cyber attack? This can be especially puzzling when faced with a bewildering array of products and services that claim to be the answer for you and your IT department. The ‘Action’ phase of many well-intentioned cyber security initiatives needed a plan that makes sense – at least in terms of a set of achievable objectives. A management system designed to introduce monitoring, continual process improvement and the metrics to give you confidence in your efforts will also be necessary. For now, though, you could do a lot worse than start with what the UK Government calls ‘Cyber Essentials’: five important controls.
Should Cyber Essentials controls be seen as a starting point for IT Security?
The Cyber Essentials Scheme identifies the security controls that organisations must have in place within their IT system in order to have confidence that they are beginning to mitigate the risk from internet-based threats.
At the first UK event themed around Cyber Essentials after its launch on 5 June (dateline: London, 24 June) organisations will examine the value of Cyber Essentials as a starting point. We will also introduce the idea of the ‘next steps’ after completing the basic cyber hygiene requirements embodied in the ‘five controls’ approach. We will touch on the concept of an ISMS (information security management system) based on the ISO27001 standard.
The Cyber Essentials Scheme (CES for short) assumes (quite rightly, based on the evidence accumulated by Government from industry sources, GCHQ and CESG) that the large majority of risks resulting from cyber threats would have been mitigated by full implementation of controls in the following, selected categories:
1. Boundary firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management
[Source: Cyber Essentials Scheme: Requirements for basic technical protection from cyber-attacks, BIS, April 2014]
Is Cyber Essentials going to be expensive? (The Scheme launches in June 2014)
This is a question that I have been asked (at an IT event on Tuesday last, in fact). Obviously, a lot depends on your definition of the word ‘expensive’ in this instance.
Would you, as CEO, want to sit with your information security manager in front of a television camera to say that what happened to Target is unlikely to happen to you/your organisation, and that your cyber security measures are sufficient?
I suppose you might be confident, if you thought that online retailers are the only target of this type of fraud, or that hackers don’t set out to breach organisations in the supply chain to gain access to such data. (Security experts are debating how the breach of Fazio Mechanical Services Inc., a refrigeration vendor that serves Target Corp., may have played a role the retailer’s point-of-sale malware attack – see Target Vendor Acknowledges Breach.)
If the Target breach illustrates anything, it’s that assumptions about cyber crime and compliance are dangerous to make, and that every organisation, including small suppliers, is vulnerable in the internet economy when it comes to securing confidential data and protecting the interests of their customers and stakeholders.
Do you really want to carry on doing what you’ve been doing, or is it time to open your doors to outside assessors, to test the assumption that your security works?
Cyber Essentials Scheme: one way to test your assumptions about cyber security!
IT Governance will be hosting the first event of its kind on the Government’s Cyber Essentials Scheme. A high-profile list of government and industry figures will discuss the scheme and the need for businesses to develop cyber resilience.
See details about this one-day event in London Cyber Essentials– The UK Government Scheme to improve cyber security on the IT Governance website.
* * * *
Want our expert help to find out where you stand with Cyber Essentials?
Read our page on Cyber Health Checks – find out if you need to close gaps in your own cyber security measures in line with the Cyber Essentials controls.
If you would like to find out more about ISO27001:2013 and how to set up and run an information security management system (ISMS) to help you comply with PCI DSS V3.0 and Cyber Essentials, talk to our consultants: 0845 070 1750.