When Gregg Steinhafel, Target’s CEO since 2008, abruptly resigned in May, the company’s recent weak financial performance clearly factored into the change. However, the massive 2013 holiday-season data breach involving 40 million credit cards and 70 million customer records must also have been a factor.
Certain cyber-security warnings appear to have been ignored. In mid-2013, Target installed FireEye, a $1.6 million sophisticated malware (malicious software) detection tool with online monitoring by Target employees in India. On November 30, the tool flagged someone downloading malware onto Target computers (possibly Russian hackers). The Indian employees notified the security team in Minneapolis. Then, apparently nothing happened. No action was taken.
Subsequently, for three weeks, the hackers copied credit card and customer data, temporarily staging it on other Target computers until wholesale data transfers could be masked in normal business transactions. Finally, on December 12, the U.S. Department of Justice contacted Target after receiving reports of fraudulent charges. The rest is history.
Brussels-based SWIFT is a member-owned cooperative through which the financial world conducts global business operations. Consisting of 10,000 banking organizations, securities institutions and corporate customers in 212 countries, it exchanges millions of standardized, financial messages every day. At a recent conference, CEO Gottfried Leibbrandt described the dire situation facing businesses all over the world:
- “It’s a bad, scary world out there and it’s getting worse. The cyber threat is very real and persistent. If you are not paranoid yet, you should become so.”
- “While cyber criminals are getting ever better organized and funded, we now also have state actors, focusing on not just snooping, but disruption.”
- “We… require networks that are designed to meet the highest standards in terms of confidentiality, integrity and availability.”
- “Data protection is core to what we do and cyber-security is part of our DNA, not an afterthought.”
- “We fully support the EU Cyber Security strategy consisting of: Networks that operate across borders,” standards (such as ISO 27001-2). A robust (European) ecosystem of expertsand providers.”
While most CEOs acknowledge information security is a top priority, it is often addressed ad-hoc after a data breach occurs (i.e., the car engine has seized). The Target incident changes that paradigm, suggesting a more proactive and methodical approach involving an Information Security Management System (ISMS) built on ISO 27001-2 standards. Companies have standard processes for accounting, procurement and HR; why not have an information security system?
The U.S. Department of Homeland Security urges CEOs to ask the following questions:
- How is our executive leadership informed about the current level and business impact of cyber risks to our company?
- What is our plan to address these risks?
- How does our program apply industry standards and best practices?
- How many and what types of cyber incidents do we detect in a normal week?
- What is the threshold for notifying our executive leadership?
- How comprehensive is our cyber-incident response plan? How often is it tested?
With an ISMS tailored to your company (one size does not fit all), you will be alerted to security breaches having high impact to your company. You get the red light warning that something bad is about to happen and you can take proactive action with and through your security team. Properly constructed, the alerts cannot be masked or ignored. It’s a dangerous world out there. Take the first step. Find out what security framework you have, compare it to your industry best practice and develop a plan for improvement. Your shareholders, partners and employees will be reassured; and most important, you will have taken an important step to protect your company’s assets from security risks.