Since the Target breach of 2013, security accountability has been a hot topic of conversation among the C-Suite worldwide. For years prior the Target breach, the mindset was “that’s not my problem because it’s below me,” or in other words, the responsibility belongs to employees within the IT Department, the HR Department, or the Marketing Department. The C-Suite players only cared about fiduciary responsibility, market share, and not driving the business into the ground. These may be harsh words, but they reflect reality.
Unfortunately, there are too many CEO’s and CFO’s who have never given security, and to be more precise, information security, or infosec for short, a second thought.
According to a cybersecurity survey by BAE Systems, “More than 90 percent of executives cannot read, interpret, or understand a security report. Moreover, the most worrisome news is that 40 percent of these executives said they actually don’t feel responsible for the repercussions of cyberattacks.”
Then the Target data breach happened. After the breach, Target’s profits plummeted by 46 percent, and according to Forbes, customers left Target in droves. Following the Target breach, the C-Suite discussion about data breach prevention, hack attacks, and infosecurity has changed. Now, every C-Suite executive knows what can happen if their company is hacked. You might think that by knowing what can happen would be the end of the C-Suite discussion, that everything would be right with the world, except for one small problem.
There’s something known as third-party vendors! A company can have the best policies and procedures in place, but as the saying goes, you are only as strong as your weakest link, or in this case, vendor.
Here’s a case in point: Target was breached through a vendor that was breached first.The hackers broke into Target’s network using login credentials stolen from a heating, ventilation, and air conditioning company that performed work for Target. The hacker was able to gain access to Target’s point-of-service (POS) system due the retailer’s failure to properly segregate systems, i.e., the system that handled sensitive payment data should have been segregated from the rest of Target’s network. If the first breach had not happened, then the secondary breach into Target’s customer data would not have occurred – at least not via this route.
A major responsibility for most C-Suites as a group is to dictate policy, but there are times when something will be overlooked when drafting policy and procedure manuals. How often are other departments included in drafting policy and procedure manuals? If other departments, such as IT, Marketing, and HR, were included, there might be a lower likelihood of important issues being overlooked.
In this tech era where change happens overnight, all organizations should consider adding the expertise of these internal departments. Think back to Target’s breach – perhaps the issue of external vendors would have been raised before the breach happened. When Target’s breach happened, a third-party breach was not on our radar, but thanks to extranets and automation, vendors that get access to corporate extranets are now soft targets for hackers. The smaller the company, the less likely they will have the discipline or even the time to train all their employees on the security hygiene required to prevent attacks like the one on Target.
Now is the time that each and every member of the C-Suite must think about protecting their businesses while simultaneously partnering with the companies they hire to ask about their security protocols. In addition, security must be part of every business initiative, not an afterthought. You don’t want your business to become a target, or worse, the next Target!