The size of Target’s infamous data theft is unprecedented, and it was probably preventable. Whether Target might survive this gaff is a debatable point. Many customers say they’ll never shop there again, but Target is huge and has enormous resources. What about mid-sized and smaller retailers? Could your business survive a data breach disaster like that?
Experian says that 60 percent of small businesses that have suffered a data breach go out of business within six months, so mitigating risk in cyber security is about more than reducing downtime and keeping data secure – it’s about keeping your business in business. The steps you take to protect your customers’ data now can keep you from being on the wrong side of business failure statistics.
To that end, I want to help you understand what happened during the data theft at Target and what you can do to make sure it doesn’t happen to your company.
Gizmodo tells us that when authorities finally tracked down the source of Target’s data theft, of all people, the HVAC guy was the weakest link. The unassuming gentleman who logs on to check the functioning of the company’s heating and cooling systems also had access to the company’s point of sale (POS) systems. Thieves stole his login data to get access to Target’s systems.
You might be thinking, “Why on earth would the HVAC guy need to access the POS system?” And you’d be asking a smart question, because he clearly does not need access. But other vendors like him do. Consider the security vendor who needs access to camera footage, door locks, and register transactions. Then there’s the energy efficiency vendor who uses different types of software to make all the company’s systems, including POS, hog less electricity.
All of these vendors worked under a single system, designed to handle all outside vendors. Developing a single, less secure system was surely cheaper than paying coders to create separate systems tailored for each level of access.
It seems that Target failed to properly weigh the cost savings in a vendor-wide system against the likelihood of a data theft event or its enormous financial consequences. To make matters worse, CBS reports that Target noticed something fishy going on in its POS system before the main breach, but made a bad judgment call when they decided it wasn’t worth following up. Someone was asleep at the wheel.
Shoppers Ditching Target over Data Theft
Oh, the Irony!
There’s more irony here than you know, since Target was at the forefront of credit card security 10 years ago. American Banker points out that from 2001 to 2004, Target worked closely with Visa to push EMV, more often called “chip and pin” credit card technology, widely used in Europe. This technology has cut data theft in Europe by more than 70 percent. Unfortunately, there was little industry support back then, and the company’s efforts fell to the wayside.
The Target data breach has brought a renewed interest in this technology and we’re likely to see it adopted nationwide by 2015. But don’t think this technology will protect you. Although chip-and-pin technology uses encryption to stop data theft at many points, Information Week says the data is unencrypted within the POS system, where the thieves focused their attack.
3 Steps to Keep Your Business Information Safe
1. Protecting Your Business
So what can you do to protect customers’ financial information from data theft? First off, follow the rules. Maybe the thieves would have been thwarted had Target been using the two-step security protocols required by law. The thieves tested their software before the main attack, so maybe they would have found a way around that security, too, but you can at least sleep better knowing you did what you could to prevent unauthorized access to customer financial information.
2. Watch Your Vendors
If your company outsources services to save money, make sure your service agreements include security requirements. A transfer of risk to the vendor for errors made by the vendor should be included. If the vendor is to blame for a security breach, the vendor ought to accept the financial consequences.
Make sure the necessary security measures are clearly spelled out in the service agreement and allow for regular inspections so your IT security staff can monitor and verify the vendor’s compliance. These measures will strongly encourage vendors to be more vigilant about security. This could also mean you’ll have to terminate relationships with vendors that don’t want to work this way, which will be tough, but worthwhile.
3. Invest in IT Security
Unfortunately, the only way to be sure your company is protected from data theft is to invest in IT security. When you look at the cost-risk benefit, investing in IT is much cheaper than paying for a data breach. In fact, USA Today says this little faux pas cost Target $61 million. The following security measures are worth the investment, and they won’t cost you millions:
Keep separate systems for each type of vendor, allowing access only to immediately necessary systems.
Allow POS access to a select few, who can provide information upon request to other departments that need the information.
Treat every irregular activity in your POS system as a serious breach.
Dedicate a human resource budget to IT security personnel who can oversee your IT security program, both internally and among your vendors.
Have proper information backup systems in place to help track and trace the source of breaches.
As a leading provider of advanced automated data backup systems, Quorum can make it easier for you to keep an efficient, secure, and reliable data storage and disaster recovery system in place. Click here to request a quote online.
Posted on 03/25/2014 at 12:00:00 AM
Enter both words below, separated by a space
Please enter the words or numbers you hear
This is a standard security test that we use to prevent spammers from submitting fake response More Help