Security Breaches: We're All Targets
By Samuel Greengard
The news about the Target security breach just keeps getting worse. Last week, the retailing giant announced that in addition to thieves swiping the credit and debit numbers of 40 million customers, crooks had also obtained names, addresses, and phone numbers from up to 70 million additional accounts. While it's a big fat hassle to change credit card numbers, it's a bit more difficult for a consumer to change his or her name, address and phone number.
At this point, the odds are reasonably good that Target will watch its revenues and brand value plummet—at least over the next several months. The firm will also likely find itself coping with lawsuits from customers, as well as banks and others, who have been sucked into the vortex in one way or another. I'm guessing the executive offices at Target are a fairly somber place right now.
But let's get real. The only shocking aspect about this incident is that anyone finds it shocking. During the last year alone, the list of firms hit by security breaches reads like a Who's Who of business: Adobe, Apple, Blizzard, Dropbox, Evernote, Facebook, Living Social, NASDAQ, Neiman Marcus, Snapchat and Vodafone, to name a few examples. In fact, each of these firms endured a loss of more than 30,000 records, according to the Website Information Is Beautiful.
The truth is many businesses are doing an abysmal job of protecting their data. And while it's easy to point a finger at retailers such as Target, the problem is far more complex. The entire ecosystem—security vendors, equipment manufacturers, credit card firms, payment processors and enterprise IT—is complicit. Corporate systems lack safeguards, password authentication is woefully inadequate and credit cards have near zero security. The numbers and security codes are printed right on them!
I could go on and on. The system is now so broken that security must be rethought and rebuilt from the microchip up. We're using the equivalent of skeleton keys to manage security in the digital age. Perhaps the Target debacle will serve as the tipping point. The firm's CEO, Gregg Steinhafel, has promised to make "significant changes," whatever that means.
Here's a starting point: businesses must mandate two-factor authentication, credit card issuers and retailers must adopt chip-and-pin systems, and CIOs and others in charge of enterprise security must stop viewing protection as merely an expense and embrace a best practices approach—costs be damned.
Otherwise, the cost is even greater. Just ask Gregg Steinhafel.
About the Author
Samuel Greengard is a contributing writer for CIO Insight.