Target Stores stock price was at $67 in November, and fell to $54 in February, and over March has managed to recover back to $60 as of this morning. Not terrible results for a company that was responsible to the loss of 40 million card transactions. But their profits have fallen 46% since the breach, store traffic and sales are down, and there are still fines, penalties, and class action lawsuit settlements on the horizon. The total cost of this fiasco will probably be in the billions of dollars.
I was initially inclined to give Target the benefit of the doubt. Obviously this exploit was carried out by a team whose skill set was incredibly high. There was obviously a lot of planning that went into the heist, and it was well executed.
But then we found out that the cyber-crooks gained entry through a vendor login that should not have permitted the thieves access to other parts of the network. And that the IT security teams pleas for more security testing were ignored in the rush to deploy the new POS system before the holidays. And that warnings and alerts from their own intrusion detection system (IDS) was disregarded and the alerting turned off. This was a huge collision of bad decisions resulting in a perfect storm of network compromise and penetration. Shame on those at Target who were responsible for this idiocy.
Still, we have also heard about similar exploits at Neiman-Marcus and Michael’s that evidently started in July 2013. And there are rumors of others. Just yesterday we heard about another long-term breach of the Texas liquor store chain Spec’s. In this latest revelation, half a million records were purloined over 17 months – nearly a YEAR AND A HALF!
The lesson for small business owners to take from this is:
- You are not too small to be another Target.
- Whatever your security is at this point, it isn’t good enough.
- You cannot expect to combat these thieves without expert assistance.
- Not getting information security help will ultimately be more expensive than getting penetrated by cyber-thieves.
The time for turning a blind eye and a deaf ear and hoping to stay lucky is past. Better, stronger security is something that requires the same level of commitment, planning and execution as the bad guys put into their attempts to break into our networks and systems. Make the decision to take action today. Or be prepared to be bankrupted by your inaction.Share
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com