Top 5 Non-Tech Tips a CEO Can Learn from the Target Security Breach
What your US Company and Target Corporation Have In Common
You’re the CEO of a small or medium sized business-define that any way you want. $500,000 to 500,000,000 million in revenues, 5 to 5000 employees, 1 to 1000 locations, or any combination thereof. Your company may not be named Target, but without a doubt your company information is a target. There could not have been a more apropos company to be associated with the largest security breach (most customers effected) in the US than a company named TARGET! Perhaps this will be a wakeup call for all the SMB’s out there that think either “nobody will come after them” or “my information isn’t valuable to others” attitude.
So here are the Top 5 non-technical things that a CEO should learn from the Target Corporation breach:
1.) Your company info is valuable. If the Target security breach teaches us anything, it is that a company’s data is valuable. Data about your customers, vendors, personal, marketing strategies, intellectual property, even company memos can have detrimental value in someone else’s hands such as your competitors, cyber-thieves, or even your own employees.
We certainly try to prevent our employees from taking company data when they leave the company. Has an employee of your firm ever left and went to work for a competitor? Of course they have. Your customers, IP, Marketing, even processes that give your firm an advantage are at risk. Cyber thieves are an obvious danger that does not need any explanation. You need to make sure this data is being protected both internally and externally. The first step in doing this is realizing that your data is actually valuable and that someone out there wants it.
2.) Fixing a breach is costly. Stating the obvious, Target Corporation is spending oodles of money in PR, discounts to save customers, attorneys, reporting, the list goes on and on. In fact Target just announced that they will be offering effected customers FREE credit monitoring and identify theft protection. Think of the cost of that. Besides those hard costs, think of the cost of human talent that comes from taking on the project of defending your corporate reputation. Now add the costs of this project being completely unexpected. Can you even measure such costs? Could you as CEO of your company basically clear your schedule for the next month+ as Target CEO Gregg Steinhafel is doing? Sure your company might not have to appear on CNBC to explain your reactions and strategy, but as CEO you will probably have to spend a lot of time explaining those same things to your clients, vendors, and employees. Even if you can eventually delegate that work it is a costly, unexpected project which means it delays other legitimate projects that currently have you and your staff’s resources. Can you calculate the costs of putting all of those projects on hold?
3.) Checkbox compliance is NOT a strategy.
You may have heard on TV reports that Target actually did have anti-malware software installed on their terminals, so they are not sure exactly how the breach happened. Now, we do not have any insight into Target’s security policies and procedures and we are not accusing them of anything in this paragraph, but that statement is worth thinking about for a minute because many companies take an approach to security and compliance of “check it and forget it”. Installing software or hardware and not putting together a plan to make sure updates happen on a schedule, or that certain types of known cyber-theft strategies are not considered on an ongoing bases can render any hardware or software solution installed to “comply with the auditor’s checkbox “ as worthless. Best practices in security should be created, known, and followed. Create a plan in house if you have the technology talent or outsource it if you don’t. A solid plan is the best start to a strong defense.
4.) Breach Notification: Timing can be Everything. There is a very good chance that the Target security breach did not just happen a day before it was reported. Many times these breaches can go undetected for a long time while the “cyber-criminal” is in your systems, but just looking for an opening to more valuable data. In such cases it be great to have a plan that incorporates systems and monitoring that would document and inform you of not only a breach, but also actions by these criminals that could even be considered an attempted breach. Technologies such as SIEM (Security Information Event Managers) can offer such protections. When put together as part of a strategy with your network or Next Generation Firewall you can truly have your staff monitor potential breaches in a much more timely fashion. Therefore, reducing the effects of a breach or avoiding one altogether.
5.) You can’t just spend to protect. It would be great if all you had to do was purchase a next generation firewall and be all good. However, just like the argument that putting more police on a police force won’t necessarily reduce crime in an area; just frivolously spending budget for security will not stop all cyber-crime. You can have firewall hardware, firewall software, a free firewall or the best firewall in your company, if you don’t have a plan of action, you still may be in for a breach.
Of course every company has a responsibility to its clients, vendors, stakeholders, and even shareholders to try and protect its systems, but educating your employees about cybercrime and the little things they can do to keep an eye out or help prevent can also go a long way. The Cybercriminal is always trying to be one step ahead just like street criminals try to be with the police. So we have to use tools and education to try to keep up and prevent them from being successful. You do need to budget for solutions. There are of course many hardware firewalls. Cisco firewall, Palo Alto Firewall, Fortinet, Checkpoint Firewall, or Juniper firewall. However, you can implement any hardware, and if you do not follow best practices on implementation, you can easily not get the most out of the money you spend. You have to plan and spend, not just spend.
As a CEO, it is important that you understand the risks and consequences of a poorly laid out security plan. Of course you are not likely the one who will be executing on such a plan, but since a breach will certainly fall squarely on your plate to fix. It is highly recommended that you have someone designated on your staff to delegate having such a strategy produced. Also, making sure that one of the responsibilities for this staff member is to inform you on a regular basis as to how the plan is being executed on so that diligence and not checkbox compliance is exercised. The CEO’s knowledge on this topic is essential if a breach was ever to occur. You will be much better prepared to deal with what is likely to become a very public affair if you have been involved and informed along the way.
So take these lessons from Target’s misfortune and try to avoid such an occurrence within your organization. You and your staff won’t be able to stop all attempts to target your company’s data, but with the right tools you can both prevent breaches as well as be notified as early as possible if there are attempts at breaches. As CEO this is not the way you want to get your name out there.