Dont put your head in the sand

Tuesday, 01 July 2014

John M Green photo
John M Green

    If Target’s a target, what about you? John M Green reveals why you cannot miss the mark on cyber-security.

    Is cyber-risk real and serious or a brilliant marketing scam by a new breed of pricey expert consultants keen to pick our corporate pockets? After featuring cyber-risk in this column several times, talking to numerous business groups, writing a book about it – although a thriller, it’s not totally a flight of fantasy – my sense is that Australian directorland is divided. Some see cyber-risk as an existential threat while others resent shelling out money on what they suspect is a consultant’s picnic.

    Before you step irrevocably into the sceptic camp, put yourself into the painful shoes of US retail chain Target Corporation, whose retail dreamtime last Christmas turned out to be a cyber-nightmare.

    In November, cyber-criminals installed a malware in Target’s payments system, a “RAM scraper” that stole credit and debit card data from point of sale (PoS) devices across its 1,800 US stores. As employees swiped shoppers’ payment cards, the malicious payload captured the card details, storing them for later pickup on a Target server the bad guys had also commandeered.

    (For non-technical readers, the payment card industry has a set of data security standards requiring end-to-end encryption of customer data when it’s transmitted, received or stored. But this data gets decrypted in the PoS’s random access memory (RAM) for processing, and that’s where a RAM scraper strikes.)

    By the time Target discovered the hack, card numbers and confidential personal information of 70 million Target customers had been compromised. Sure, that’s Australia’s entire population more than three times over, but it’s just their data, so who could get too upset about that?

    Well, Target has been hit with lawsuits for negligence and compensation. It’s spent over US$60 million responding to the breach. Its Christmas quarter sales plummeted 46 per cent. It laid off 475 employees and its market capitalisation swan-dived 20 per cent or by around US$8 billion.

    That’s seriously “lower prices”.

    But Target was no cyber-sceptic. It had installed FireEye, a state-of-the-art malware detection tool that the CIA and the Pentagon also use, and it had created a round-the-clock computer security team in Bangalore. On top of that, inside its Minneapolis headquarters, it had a security operations centre (SOC) monitoring the company’s IT infrastructure all around the country.

    So why didn’t the whiz-bang software and the 24/7 Indian whiz-kids discover the data breach in time? Actually they did. FireEye picked up the hack on 30 November and rang the alarm bells. Bangalore heard them and immediately alerted the SOC in Minneapolis.

    What did the Target’s SOC do? According to Target, it “evaluated and acted upon [the alert but] determined it did not warrant immediate follow-up”.

    Then, as pathetically as if England’s last Test captain had said: “We’re checking whether, if Australia hadn’t won, they might have lost”, the Target spokeperson continued: “With the benefit of hindsight, we’re investigating whether, if different judgements had been made, the outcome may have been different.” Right.

    How then did Target discover the breach? It didn’t. Big Brother did. On 12 December, two weeks after the SOC “evaluated” and dismissed the alert, the US Department of Justice called up, advising Target it had noticed the suspicious activity. Who says government is good for nothing?

    Now fast forward to May, when Target announced that “after extensive discussions”, its CEO (also its chairman and president) was stepping down, after holding himself personally accountable for the data breach. That’s a big head on a big chopping block, especially when it’s a 35-year Target veteran on a US$21 million paypacket.

    Yet Target had invested big-time in systems and facilities. Its board and management would have taken comfort from FireEye and they probably would have been impressed on visits to Bangalore and the Minneapolis SOC.

    But whammo! A small error of human judgement and the CEO plus 475 other employees lose their jobs, shareholders lose billions, customers lose we don’t know how much and the company’s reputation plummets to the shop floor.

    Could your company become a Target? Or is it already one but, like Target, you’ll only find out when someone outside the company tells you?

    Last month’s column noted how companies globally have been readjusting their perspectives on risk, as shown in the 2014 Excellence in Risk Management Survey from Marsh & McLennan/Risk and Insurance Management Society.

    A surprise in that poll was the wide divergence of opinion about cyber-risk held by CEOs versus chief risk officers. 

    Risk officers ranked cyber as their number one risk (up from a low 12th in the 2013 survey). But for CEOs, it didn’t even make their Top 10, ranking only as their 12th risk (though up from 26 in 2013’s survey).

    CEOs are either reflecting the cyber-risk scepticism scattered among Australia’s corporate scene or they are the cause of it.
    But this poll was taken before Target’s CEO got fired over a cyber-debacle. So many of those other CEOs might be thinking quite differently today.

    Twitter @john_m_green

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.