Lessons Not Learned from the Target Security Breach - Miles Jennings

Here’s an anniversary that won’t be celebrated at Target HQ in Minneapolis. It’s been one year since the massive data breach of its customers’ credit card information was announced. While security spending has increased, it may not be applied wisely.

As Bloomberg Business reported, “In the days prior to Thanksgiving 2013, someone installed malware in Target’s security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.

“Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.”

Dr. Barbara Rembiesa, CEO of the International Association of Information Technology Asset Managers, says companies may not have learned the harsh lessons from the Target data breach. She says, “Though that high-profile case set off a $70 billion “IT security” spending wave among major companies hoping to avoid similar catastrophes, 2014 has so far seen more customer data stolen than in any previous year.”

She’s especially harsh on what corporations are doing. “The Target debacle triggered an 8 percent increase in spending on ‘IT security’ but did very little to slow down the tide of major data breaches. The reality is that companies that have taken these steps are treating the symptoms but not the underlying problems. By focusing only on narrowly focused and superficial IT security ‘solutions,’ companies are putting the cart before the horse and they’re going nowhere.”

She added: “When you look closely at the biggest data breaches of 2014, even the best IT security solutions alone could never prevent them. This has been the biggest ignored lesson of the year. If companies are to stop these attacks in 2015, they must first recognize that the true source of nearly all major breaches are more foundational and stem from nonexistent or inadequate IT Asset Management procedures.”

Rembiesa said companies need to follow IT Asset Management principles to protect themselves. Among them:

• You Cannot Secure What You Don’t Know You Have. One of the greatest breach risks to all enterprises lies in the large number of IT doorways and gateways. No amount of sophisticated security software on earth will protect a company from the computer it didn’t know it had operating on its network, or the dangerous software that was downloaded by an employee on an undetected basis.
• Threat Communication Is As Important As Threat Identification. What happens after a threat is discovered is as important as the discovery itself. Communications management accelerates the speed at which a discovered threat can be locked down and addressed. As pointed out above, Target had the threat identification and then did nothing about it.
• Manage Your IT Vendors As You Manage Your IT Assets. Several of the large 2014 data breaches flowed from improper IT vendor management. A company’s IT management policies are only as good as the weakest link in the system. Rembiesa said, “If an IT contractor is operating at a company, its IT management policies need to be as good or better than the company employing it.”
• IT Security is NOT the Same as IT Asset Management … and Both Are Critically Important. IT Asset Management underpins all IT security. Information technology environments operate in dynamic and fluid ways, and IT Asset Management is the discipline that helps companies navigate and understand this process. Focusing on IT security without addressing IT Asset Management may provide some degree of comfort in board rooms and C suites looking for a quick fix, but it is an illusion.