At last?
Maybe now they'll realise that poor security hits them on the bottom line. Most of them need this kind of clue stick.
Target's infamous 2013 data breach, which resulted in the company being relieved of 40 million credit card numbers, has cost the company another US$148m according to its latest quarterly finance report. The retailer dedicates a whole section of its quarterly statement to the breach, and says that “In second quarter 2014, the …
Well, yes. But one of the interesting, and unfortunate, aspects of the Target breach is that it wasn't the sort of obviously, stupidly poor security, as we saw with e.g. the TJX unencrypted-wireless-PoS breach some years back.
The infection came indirectly through a third-party supplier, and was spread by Target's over-engineered Windows-based PoS system. Those are architectural security issues, not simply a matter of "hey, turn on network encryption, stupid". Harder to spot and significantly harder to fix.
Then Target's outsourced intrusion-detection team did spot malicious activity, and informed Target as they were supposed to - but the second-line team sat on the information instead of investigating and escalating. That's a procedural failure, but again it's not obvious or easily fixed - it's not a case of Target not having any monitoring at all.
What it really demonstrates, once again, is that security is hard, and prominent victims (like large retail chains) won't have anything close to adequate security even if they make a good-faith effort to check the obvious boxes. They need someone in the C-suite whose remit is solely IT security; they need a formal process that includes threat modeling, penetration testing, and systems review; they need clear, well-documented procedures that create incentives for failing to a secure state rather than an insecure one. That's a very expensive proposition. Is it more than 148M USD expensive? Hard to say.
That's only $3.50 a card, so this must surely be addition to some much larger provision they've previously made? If they just had to settle with the card issuers for the cost of cancelling and replacing cards it would come to a hell of a lot more than that, then there's free credit monitoring for their customers. And that's without having to compensate any victims of fraud resulting from the breach, or the inevitable class action suit over all the stress and worry. They're in for more of a reaming than $148m.
Another US$148m this quarter. Ongoing. Increasing.
And yet so many large businesses are continuing to scrimp and save on little bits of security "because it'll never happen to us"
Is your security as good as it could be. If you just answered "yes", prepare to be boarded. What was the best last week is old news and vulnerable. Security is a moving target and if you don't keep looking at ways of improving it you will be a victim.
Is your security as good as it could be. If you just answered "yes", prepare to be boarded. What was the best last week is old news and vulnerable. Security is a moving target and if you don't keep looking at ways of improving it you will be a victim.
"security as good as it could be" is a meaningless phrase anyway - you don't have to invoke the "moving target" argument. Security is only meaningful in the context of threat models, costs to attackers, and costs of defenses. There is no "security" in an absolute sense.
And defense budgets are limited. Worse, security costs are asymmetric - across a broad threat model, defense will be much more expensive than attack. There's no point in saying "keep looking at ways of improving [security]"; without context, that's not useful advice. Someone has to decide how to allocate the defense budget to increase the attack cost of the cheapest and most probable attack vectors, analyze the system for new attack vectors and update the threat model, detect violations, etc.