How to avoid becoming the next Target

ORDER REPRINTS DOWNLOAD COMMENT DISCUSS SHARE

Security is no longer an ancillary IT function that is passed off to the geek squad.

Instead of relying on the multitude of disparate security solutions that are baked into hardware and software typically used in an enterprise IT environment and then attempting the arduous task of security integration, organizations should focus on the data itself. Where is it going and how is it encrypted? Who has access to the encryption policies, and which third-party applications have federated access to the data? There's a reason banks and governments turn to encryption companies like Certes: high-speed data encryption works!

Second, top executives should regularly discuss cyber-security with the chief information officer (CIO). A good jumping off point is to ask the CIO to present the specifics of news-making data breaches, and then examine the details against your company security policies. If questions arise that cannot be answered, then part two of that discussion should be which tools and solutions need to be acquired to achieve security goals.

Third, set cyber-security goals and add security metrics to your dashboard. Cyber-security is not a one-and-done process. Similar to revenue or goals, security demands constant monitoring. Add security metrics like “number of potential breaches vs. number of actual breaches this month” to ensure the enterprise is constantly on top of the cyber-security situation.

Lastly, know your enemy. How? Hire a hacker. Employ the enemy equipped with the latest arsenal to test your systems, and include the results in monthly reporting. This will reveal holes in your server walls, applications, and data security policies, which can then be acted upon by the IT team. It also provides valuable information for the board and an increased level of transparency.

Borrowing from Forbes, Target’s dismissal of CEO Gregg Steinhafel “isn’t just about the breach.” It’s also about lack of ability to react quickly, lack of transparency when they found out, and the fact that the company wasn’t on very solid footing before the breach happened. These are all areas for which the CEO is directly responsible.

Special tips for retailers

Large retailers in particular face special challenges because they process so much valuable data so frequently, they have many locations, and their sheer size makes it difficult to institute company-wide security updates on a regular basis. Most communications service providers are also retailers, which presents some risks. However, the addition of third-party retail channels increases risk for CSPs. Forbes offers these suggestions for retail operations:

Reducing exposure by getting rid of data that is not required for immediate business purposes and using third party vendors (PayPal, etc.) to process credit card payments.
Encrypting credit card numbers at the point of acceptance.
Focusing on security, in addition to compliance.
Understanding how your network and domain infrastructure can work against you.
Locating the initial attack vector immediately, rather than focusing on the end target (which also needs to be fixed). Otherwise you can be chasing a number of false and actual attacks that are all originating from the same initial entry point and spend far more money and time trying to eliminate the threat.

Hack prepping

The damage from even a small attack can be very significant. Jeffery Guy says that every company should expect to be breached; and that, although a compromise may only take seconds, it will take months and an average of $341,000 to fix each breach (as Target is finding out now).

Most cyber attacks against businesses happen against small businesses. And, although many business owners feel they “aren’t worth the time” of an attacker, the reality is that they are the primary targets and victims of cybercrime. However, that doesn't mean they have to become Targets with a capital “T”.

Follow @PipelineWire