Case Study 1: Cyber Security in Business Organizations
Case Study 1: Cyber Security in Business Organizations
Protecting organizational assets and information within the company has become a top priority for many corporate leaders. In this case study, we will review the article titled “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It” and try answer the various questions proposed by the professor.
Fundamental organizational challenges faced in protecting assets and information.
It is no simple task to determine the issues and roadblocks that an organization faces when protecting data. One company is never the same as the other one and not one company stores or tries to protect the same type of assets and information. For example, in the banking industry the worry is protecting personal and sensitive information, as well as the financial assets of a customer. On the health industry, the primary concern is to safeguard sensitive information about patient medical history, as well as sensitive personal information.
There are multiple federal laws that protect and regulate the use of personal private information. These rules cover the classes of privacy, who has the right to access it, how it is stored and shared, and more importantly, who is liable in the case of a data breach. Laws like the Children’s Online Privacy Protection Act (1998), the Fair Credit Reporting Act (2003), the Privacy Act of 1974, the Health Insurance Portability & Accountability Act (1996) and the Safe Harbor Data Privacy Framework (2000), are just a few examples of how the Federal Government tries to regulate the protection of data.
The need to protect information strives from three key factors that are growing with the evolution of technology.
We now know that the Federal government requires the information and assets to be protected, but we also know that data is vulnerable to be hacked or stolen because of the factors we mentioned. But, how do companies protect it? How can they assure us, the consumer, that our data is protected? All this takes us to the main challenges to protect data. The Infosecurity Europe 2014 Industry Report ranks the top four as follow: End-user ignorance (26%), legacy IT systems (16%), a lack of executive sponsorship for policies (14%) and end-users refusing to comply with policies (14%) .
- The data is available: If it is out there, someone most likely will try to get it illegally. There is no simple solution to this since the information needs to be gathered to receive services in the different industries. For example, a bank requires social security numbers (SSN), date of birth and income information in order to process a credit application. The IRS requires you marital status SSN and all your personal information to determine if you are paying your taxes and not committing fraud. In the hospital, sensitive information is necessary to determine insurability for a patient.
- The data needs to be shared: Whoever gathers the information, will need to share it at some point and in some cases it is even sold. Sharing data is required for example in the federal government, information gathered on a Census or by the IRS on the tax return, might be of use to agencies that provide services such as Food Stamps, Insurance eligibility, and many others.
- The data is accessed easily: With the use of simple search engines, you can get personal information from the web. People can go to get credit card statements in the trash, and even stealing the actual credit card or asset they are looking to obtain. More experienced hackers use simple techniques like phishing and spamming.
The fact that 3 out of the 4 top concerns or challenges are on the human dimension supports my premise that the most critical part of data security is the human level. No matter how secure a system is, or how efficient a malware protection or antivirus software is, if the human dimension part of it is not fine-tuned to be effective, the data breaches will always occur. Users or consumers have to be aware that their information is shared; they need to be protective of it at all cost. It is alarming the ease on how someone is tricked to provide SSN, phone, addresses, credit card information, and many others over the phone, with some simple impersonation tricks.
If users are aware, they need to comply with safety procedures and policies, and they cannot complain when stronger passwords are required, or when they are asked confirmation questions for security reasons. When data breaches occur, the consumers get alarmed and how easy the data was gathered, but they do not realize that some of the information was willingly given by them, when it was not needed. The last key human level is corporate sponsorship for policies. Executives need to be aware and supportive of IT security protection procedures and regulations. Not only they need to be aware, they should be involved in the planning and development of it. At the end of the day, the buck stops with them. They are the face of the organization, and they will be the ones held accountable.
Did Target overlook of ignored the red flag(s)?
According to the article, Target was prepared for this type of attacks. The security was designed to work as follow: A malware detection tool made by FireEye was installed on their system, this tool was monitored by security specialists around the clock, if this team noticed anything suspicious, Target’s security operations center in Minneapolis would be notified. When hackers installed the software to steal the credit cards and were ready to move the data outside the servers, FireEye spotted them; the security team got an alert and flagged the security team in Minneapolis . It was the first and biggest red flag Target overlooked or to better state it, ignored. Why Target ignored this notification is simply a question that will follow them in the aftermath of this breach forever. Whether it was because the team of specialist did not trust the newly installed system, or because the group believed that the multi-million software was just unbeatable, the fact of the matter is that it was because of the human level that this occurred. FireEye could have stopped the attacked without the human intervention, but the security team had this function turned off.
Actions that Target took after the breach occurred
Every firm should have a data security plan, the basic premises to design and maintain one are as follows: (1) knows what sensitive information the firm has; (2) keeps only the sensitive information necessary; (3) protects the information that is retained; (4) properly destroys information no longer needed; and (5) develops a response plan in the event of a security breach . Target was prepared for such a breach, and its security plan was put in place before the attack. In fact, it was even certified by agencies as to be meeting security standards for the payment card industry (PCI) . But if we take a moment to look at the fifth premise presented, we can state that Target did not respond efficiently once the attack was detected. The fact that the security team ignored alerts that an attack was in place speak volumes of their ineffectiveness in response to the data breach. The steps that Target had to take after the breach were purely just to remediate the effects of it and to be in compliance with the law. They had to offer to repay consumers for any fraudulent charges that were related to the data breach. It was more a measure of gaining the consumer trust in their system. This is something that remains to be seen since its reported drops in sales of 46 percent its record setting for them in comparison to previous years .
As stated before on this research, the reasons as to why the attack occurred are ambiguous. Target is a multimillion organization that does store sensitive information from consumers; it stores social security numbers, credit card information, bank accounts and many others, this puts a big bull’s-eye mark on them to be “target” of these attacks. This is bit Ironic if we consider the name and logo of the company. As long as there are firms and organizations storing sensitive information wanted by hackers, these attacks are going to occur. What Target failed miserably was in its response once the attack was detected. It was not until the Federal government warned them of an attack that they took action in eradicating the malware and confirming the breach. Both the infrastructure and the recovery plan were in place. But the efficiency of the security team was weak, and they failed to act according to the plan that was in place.