One year ago the infamous Target breach occurred; November 27 to be exact. Unless you’ve not ventured out to a retailer in 2014, there’s a good chance you’ve been impacted by a card breach.
Impacted? What does that mean?
Like many, probably an inconvenience. Granted there is risk of fraud but that’s waived, provided it’s reported in a timely manner. In the case of debit cards there can be greater impact that can affect transactional checking balances. But for the vast majority, there’s an inconvenience, which is the trade-off for the convenience of using plastic and (possibly) earning rewards for card usage.
As the family retires to the family room after Thanksgiving dinner and the Black Friday sales are discussed, poll them and ask if they will use paper (cash) or plastic (credit/debit cards) this holiday season.
Then ask them why? More than likely most are planning on using plastic, and why not? It’s unlikely they’ll say they have fear and lack of trust in where they shop, even with a reported 1,000 retailers infected.
Simply put, the retailer has what we need and likely at a great price, Black Friday or not. The plastic is the convenience and the feeling is as if nothing was spent, until the statement arrives.
How does Wall Street feel about these breaches? At the time of writing, TGT is at a one-year high closing (11/26/14) at $72.17. Home Depot? They’ve had a great 3rd quarter and grew more than 20%.
Regardless of the viewpoint, these businesses have shown their resiliency in the face of very adverse events. And this is how it is supposed to be. Businesses are supposed to be able to weather the storm even with turbulence along the way. There’s a business impact, but in the grand scheme of things, the feared doom and gloom in the retailer space hasn’t hit as hard as expected. At least if the stock price is the yardstick, which for all intents and purposes it is.
By the way, it’s easy for the security industry to look back at the Target breach and poke holes and say we’re not getting any better. But there was improvement and it may have gone unnoticed in the midst of the chaos.
The TJX breach went undetected for 18-months, whereas Target was 18-days.
This statement isn’t about who is better, but rather to illustrate that the industry as a whole has gotten better at closing the window of compromise. Still, many will say that’s not good enough, which is tough to argue.
Would it have been ideal if Target discovered this (outside of the internal alerts received) and addressed the incident? Yes, of course. However, in the age of information sharing and leveraging our allies, every business needs all the help they can get. The bottom-line, if this was the TJX timeframe, the Target breach would still have 6-months more to go before detection.
The industry has seen change in 2014 during the barrage of breaches. Influential figures have changed their tune and stated; “compliance does not equal security”. The security industry already knew this, but now it’s coming from the Council rather than the echo chamber. Vendors like Cylance are changing endpoint protection as we know it which factors into PCI-DSS 3.0 requirement 5 updates.
At a time of giving thanks with our family and friends, as security professionals, let’s give the gift of awareness and education, too.
There’s value in “what’s in it for me” – which is about providing people personal value as opposed to always focusing on corporate where employees may become disengaged. While some may view this as an ineffective approach to enterprise security, the opposite is true. Employees can and will learn security information that is personal to them and that carries over to the business, too.
Examples of fake shipping invoices, URL analysis in emails, creating better passwords, and mobile, are just a few topics which nearly anyone shopping this season can learn from. So rather than focusing on retailer breach trust or lack thereof, flip this on its head and change the conversation in areas where the employee has some control and can learn from everyday events.
The paper or plastic poll serves as the catalyst into an opportunity to provide awareness and educational value to those closest to us, and work towards chipping away at improving our security at the endpoint. We’re the trusted advisor for our family and friends and can make an impact in a roundabout way. To which, they may give thanks to us, and our corporations when they return to the office.