The Minnesota retail giant, Target, is closing 13 stores in January due to declining profits…which follows closing of 133 Canada stores, laying off approx. 17,000 people around the same time a year ago. But let's recap the late 2013 data breach which likely did not help the big brand:
• 40 Million credit cards,
• 70 Million personal records,
• 46% drop in profits in 2013 Q4,
• $10 Million in settlements,
• $100 Million in replacement/issuance for banks and credit unions,
• $100 Million in payment terminal upgrades / Chip-and-PIN (which likely would not have prevented the breach anyway),
• No security lead / responsible and of course,
• Replacement of CEO and new CISO role within 6 months after breach.
Business model, marketing, culture, etc. has a lot to do with company's success but let's focus on IT Security lessons learned:
• Know your threats, risks, and leverage threat intelligence and improved collaboration,
• Triage capability to know when to ignoring noise vs. addressing real issues promptly,
• Security must be part of the business equation with security executive level accountability,
• Expeditious communication to respond accordingly (containment, eradication, resiliency) but also transparency and PR for customers and industry,
• Interconnection of networks require proper segmentation, third party due diligence, and proper account (de)provisioning
• Realize liability from banks, for example, looking to recoup cost of re-issuance
• No silver bullet e.g. EMV (Europay, MasterCard, Visa) will not solve/prevent all threats
• Do address weakest link, your brand depends on it
No comments:
Post a Comment