What cybersecurity lessons did Target learn from its massive data breach?

What were they thinking in not upgrading their antiquated, unsecure transaction system that was breached for three weeks during the holiday season? Why did they stream all of the credit card information and customers’ personal records in a centralized way? But they are not alone.

Since that debacle, which took down the retailer’s CEO Gregg Steinhafel and CIO Beth Jacob, Target is trying to win back shoppers’ trust by pledging to spend $100 million on cybersecurity. Good luck, the damage is done.

Target’s Scarface Syndrome

Call it the Scarface syndrome. In the cult movie, the unstable Al Pacino character complains about the high cost of security rising as a percentage of his illicit empire. Scoffing at paying a premium for more layers of security, he hastens his demise.

For too long executives at Fortune 1,000 companies and small to medium size businesses (SMB) have refused, ignored, or hoped they wouldn’t have to spend the capital necessary to protect their assets. They have been slow to learn, slower to act. They don’t plan for worst-case scenarios. With all of the ‘black swans’ that happened since 2000, from two tsunamis to the bursting of the Dot Com and Fixed Income Bubbles, they had no excuse. They should have learned a few lessons and fortified their digital assets.

Today, it’s easy for hackers to launch millions of “Zero Day” malware daily and spread them around the Internet. The malware is malicious code that cybersecurity monitoring systems are unable to detect, since it’s new. Can’t find it a new virus, can’t eliminate it.

In speaking with IBM security expert Kris Lovejoy, she pointed out it’s “inevitable” that hackers will break into enterprises, access corporate secrets, and steal personal data, whether employee, customer, or third party vendor. Not being prepared to defend against such attacks ripple from the C-suite to the boardroom, taking down those unfit for duty. Call it Digital Darwinism.

Kris Lovejoy IBM’s Kris Lovejoy [Credit: IBM]
Data as the New Currency

Not all data is created equal. Data has value. Some of it very important, such as a company’s intellectual property, other forms, like celebrity rants, have no value at all.

Too many corporations have little idea what constitutes their “crown jewels” or key digital assets. Worst, they don’t know how to go about protecting and partitioning them off in secure ways, or tracking them electronically.

Why don’t companies think more with the mindset of a bank? They probably do it with the physical perimeter of their offices and buildings, but they really haven’t thought about it for all of their internal and external digital assets, records, and data end points.

Time to change.

IBM’s “Crown Jewels” Solution

This spring IBM launched its novel, but mission-critical solution, “Crown Jewels.”

In a telephone interview with Kris Lovejoy, General Manager of IBM Security Services Division, we discussed IBM’s Crown Jewels approach and the Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis. [Disclosure: “Benchmark research sponsored by IBM, independently conducted by Ponemon Institute LLC May 2014.”]

From the Ponemon study:

“According to the research, the average total cost of a data breach for the companies participating in this research increased 15 percent to $3.5 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9 percent from $136 in 2013 to $145 in this year’s study.”

Kris Lovejoy qualified, saying, “The Ponemon stats are associated with breaches that have been actually been reported. I think it’s equally important to understand the stats not in the report: Statistically, only a small percentage of breaches that are discovered are ever disclosed by the compromised organization. More significantly, only a small number of breaches are ever discovered in the first place.”

She added, “The Economist’s Intelligence Unit assessment of March 2014, based on interviews with 360 senior executives around the globe, found that while 77% of respondents said their firms had been hit with a cyber attack in the past two years, only about 35% said they would consider sharing attack and threat information with other organizations in their industry. When you consider this statistic in context of the commonly accepted rule of thumb that only 1 out of 100 breaches is ever discovered—it points to the reality that we are woefully ignorant with regard to the actual impact of compromises on our organizations. Further… the total impact of cyber breaches worldwide is woefully understated.”

Also from The Economist report:

  • Target spent $61 million in response costs in Q4 alone for the breach;
  • “Three-quarters of organizations have suffered an incidence in the last two years”;
  • “And the frequency of the incidents is on the rise.”

The Legal Risks of a Data Breach

In Kris Lovejoy’s view, many organizations fail to take cybersecurity seriously because they don’t understand the cost associated with a breach. “It’s not just the cost of the security expert required to investigate the breach… it’s the cost of customer notification, call center intake, customer mailings, identity theft monitoring services, lawyers, regulatory fines, PR firms, and so on. The costs can be quite extensive,” she said.

She also pointed out, “Many organizations don’t see legal or regulatory requirements as a trigger for action. But laws and regulations are changing.”  According to Lovejoy, “The European Union’s General Data Protection Regulation would create an obligation for all businesses to report breaches to regulators and affected consumers. Failure do so could result in fines of up to the higher of €100 million or 5 percent of businesses’ annual global turnover for non-compliance.”

That’s a hit to the bottom line that any company would feel.

What Can Be Done?

“It used to be very rare for senior executives to have conversations about security twenty years ago. A company’s online presence was limited to a website. You could buy a firewall and have okay security. Today to secure every thing in a network is akin to securing a big hotel with 65,000 doors and windows. You can’t just shut every entry or access point… you have to give your customers and employees controlled access in and out. Many security practitioners are uncomfortable with that concept. As ex-military and law enforcement they are programmed to lock everything down. They become the obstacles to business innovation. They can’t relate.”

“Since everything is connected to the Internet – and subject to attack – we have to start thinking more pragmatically. IBM is taking that more practical approach. Since we can’t stop the business, we have to use security to enable it… by making sure business can identify it’s crown jewels and put in place the mechanisms to protect them.”

What has been eye opening for Kris Lovejoy and IBM is that many executives have no idea what constitutes crown jewel data, let alone where to find it or how to protect it.

She role-played, saying: “Where are the next generation car designs? What’s the impact if they get stolen? How should I react? It’s time to figure that out. Use self-learning software to discover the documents and map a pattern of movement. Prioritize your protections. That way if a critical document does go missing you may be able to minimize the impact.”

We discussed the “feedback shock” on internal data, from board proceedings and minutes of the meetings, to executive separation and compensation packages. Are those docs given appropriate levels of importance? Do they end up on personal devices, laptops, and emails at home? How are they secured?

“At the end of the day, you can’t protect everything. You can, however protect the things that count. My advice is to act now and act fast,” Kris Lovejoy noted.

Has the boardroom woken up to the cost of legal and reputation risk? That is the question  corporations must ask today.