DATA SECURITY: How not to be the next Target
Written by Canh Tran
What happened at Target?
It started with a simple innocuous temperature control device from an HVAC vendor. Once inside the outer perimeter the attackers installed a piece of malware whose code they probably tested on virustotal.com to make sure it hadn’t been detected by the 40 or so anti-virus vendors. The malware then spread to every point of sale terminal cleverly collecting the credit card information during the millisecond that it was not encrypted thus defeating industry standard network perimeter security, anti-virus, and encryption technologies in one fell swoop.
When it was all said and done, Target, the second largest US retailer with over 1,900 stores and $73 billions in sales, was breached. Hackers stole 40 million cards and information from 70 million consumers. The breach will likely cost Target between $400M to $2Billions in losses from purchasing identity protections for consumers, paying for banks to replace credit cards and fending of litigation.
Read related articles in Business Review USA
- Growing concern: Lawmakers apprehensive about Google Glass
- The changing role of the CIO: Adapt of die
- Is your business technologically efficient?
Only going to get worse
According to Adam Levin of credit.com, it’s only going to get worse. The number and scale of data breaches have been growing at epidemic proportions over the last five years and the common refrain among security experts is “It’s not if you are going to get breached, it’s when.”
How disastrous are these breaches? While large retailers suffer tremendous financial losses and tarnish to their brand, most will recover. However, the threat is even more acute for smaller retailers who don’t have the same IT and security resources or online retailers with many similar competitors. For those companies a data breach could prove fatal as consumers switch to competitors and never come back.
Chip and Pin, PCI compliance, and Data Encryption
Starting in October 2015 the payment industry is supposed to move toward a new payment technology commonly known as Chip and Pin that is supposed to make the credit card information harder to steal and also shift liability for fraud to merchants who are not Chip and Pin compliant.
Additionally the Card Industry Data Security Standard (PCI DSS) has also issued a set of requirements to ensure that merchants process, store, and transmit encrypted data in a safe environment.
While these measures will help, this won’t eliminate the possibility of data being exposed at the point of sale, according to Al Pascual, a senior analyst at Javelin Strategy who has written extensively about data breaches.
It’s worth noting that an earlier version of chip and pin was hacked (hack link), and that most of these breaches circumvented PCI DSS standards and encryption. Some of these merchants were certified compliant while they were actually infected with malware (PCI malware link).
Regardless of what solutions are currently being talked about, one thing is for sure, it won’t be a magic bullet and it won’t be enough. Fraud is like a balloon, you squeeze one end and it will grow somewhere else.
Don't be the next Target
5 steps merchants need to take to protect themselves
1. Secure your perimeter IT network and web-based applications. Your IT network is like your house and you need to secure the windows, doors, and vents - anywhere you think a thief can come in. Web-based applications are like the mail, cable, electricity, water, gas, package deliveries that help run your house - anything that needs to come in and out of the house in order to communicate with the outside world.
2. Be prepared. Prepare yourself with data breach and incidence response training. Just like you have disaster preparation, conduct data breach preparation and readiness training by developing processes, training your people, and practice often. As Mike Brummer, VP of Experian Data Breach Resolution, explains to bankinfosecurity.com “organizations really have fewer excuses why they shouldn’t be prepared. It’s much more cost effective to prepare, to pay the price and invest upfront, versus paying later.”
3. Buy cyber security insurance. This is a growing field and insurance companies will also help you focus on what is important and what is financially at risk that will help provide you with the discipline to discern what needs to be protected.
4. Monitor your systems 24/7 for suspicious IT traffic and fraudulent financial traffic. It’s not good enough to do periodic audits. Today you need constant 24/7 monitoring so you can detect quicker and take immediate actions to stop the breach and mitigate the losses. Just as consumers we get alerts from our bank or credit card to verify purchases often in real-time, merchants need to adopt similar technologies to notify them of potential threats.
5. Finally have a security forensics team on speed dial. Even better bring the team in before a breach occurs to understand what they can and can’t do for you and also evaluate their skills and expertise before having to use them
Every merchant we talk to wants a magic bullet to prevent data breaches but the reality is that bullet doesn’t exist. These recommendations prepare you to be ready, to be proactive, and to respond better. As Jeff Multz, a security evangelist at Secureworks said, “Security is a journey not a destination” – one that merchants need to undertake to give them a fighting chance.
How changing your company's software code can prevent bias
Two-third of tech professionals believe organizations aren’t doing enough to address racial inequality. After all, many companies will just hire a DEI consultant, have a few training sessions and call it a day.
Wanting to take a unique yet impactful approach to DEI, Deltek, the leading global provider of software and solutions for project-based businesses, took a look at and removed all exclusive terminology in their software code. By removing terms such as ‘master’ and ‘blacklist’ from company coding, Deltek is working to ensure that diversity and inclusion are woven into every aspect of their organization.
Business Chief North America talks to Lisa Roberts, Senior Director of HR and Leader of Diversity & Inclusion at Deltek to find out more.
Why should businesses today care about removing company bias within their software code?
We know that words can have a profound impact on people and leave a lasting impression. Many of the words that have been used in a technology environment were created many years ago, and today those words can be harmful to our customers and employees. Businesses should use words that will leave a positive impact and help create a more inclusive culture in their organization
What impact can exclusive terms have on employees?
Exclusive terms can have a significant impact on employees. It starts with the words we use in our job postings to describe the responsibilities in the position and of course, we also see this in our software code and other areas of the business. Exclusive terminology can be hurtful, and even make employees feel unwelcome. That can impact a person’s desire to join the team, stay at a company, or ultimately decide to leave. All of these critical actions impact the bottom line to the organization.
Please explain how Deltek has removed bias terminology from its software code
Deltek’s engineering team has removed biased terminology from our products, as well as from our documentation. The terms we focused on first that were easy to identify include blacklist, whitelist, and master/slave relationships in data architecture. We have also made some progress in removing gendered language, such as changing he and she to they in some documentation, as well as heteronormative language. We see this most commonly in pick lists that ask to identify someone as your husband or wife. The work is not done, but we are proud of how far we’ve come with this exercise!
What steps is Deltek taking to ensure biased terminology doesn’t end up in its code in the future?
What we are doing at Deltek, and what other organizations can do, is to put accountability on employees to recognize when this is happening – if you see something, say something! We also listen to feedback our customers give us and have heard their feedback on this topic. Those are both very reactive things of course, but we are also proactive. We have created guidance that identifies words that are more inclusive and also just good practice for communicating in a way that includes and respects others.
What advice would you give to other HR leaders who are looking to enhance DEI efforts within company technology?
My simple advice is to start with what makes sense to your organization and culture. Doing nothing is worse than doing something. And one of the best places to start is by acknowledging this is not just an HR initiative. Every employee owns the success of D&I efforts, and employees want to help the organization be better. For example, removing bias terminology was an action initiated by our Engineering and Product Strategy teams at Deltek, not HR. You can solicit the voices of employees by asking for feedback in engagement surveys, focus groups, and town halls. We hear great recommendations from employees and take those opportunities to improve.