Steinhafel had a long and loyal career with the retailer, spanning 35 years, but ‘stepped down’ from his position following the data breach that occurred between late November and mid-December of 2013. The breach severely affected Target’s reputation among customers and derailed the business. This came following the earlier news that Target’s Chief Information Officer Beth Jacob had also resigned because of the same security breach.
Target was the subject of a data hack at its bricks-and-mortar stores in the US. As many as 40m customers saw their credit and debit cards become subject to potential fraud after malware was introduced to the POS system in almost 1,800 stores.
Target said in its annual report of March 2014 that the breach had spawned dozens of legal actions and that it could not estimate how big the final financial tab was likely to be, or how long it would take to settle. It also acknowledged separately, that while security software picked up on suspicious activity after the cyber-attack was launched, the company decided not to take immediate action because it believed it did not warrant immediate follow-up. Hindsight is a wonderful thing.
The fallout from a business perspective to Target’s reputation is immeasurable. Sales, profit and stock all suffered and shares are down over three per cent since the breach was disclosed, showing the impact that a data breach can have on the business and its people – from a professional, reputational and financial perspective.
It also confirms my belief that critical information protection within the organisation is no longer the sole responsibility of the IT department but is very much a boardroom issue. Understanding the value of your critical information and creating a strategy for the appropriate management of it should be a level one priority for businesses. It’s not a case of ‘if’, but ‘when’ a breach will happen. And when it does, every possible step needs to be taken to ensure the least possible damage in its aftermath.
Understanding that there is a high likelihood of a future problem when it comes to information security, then putting the correct plan in place to deal with it, is simply appropriate corporate governance. Disaster recovery and business continuity plans are all about how to deal with critical incidents albeit usually physical events. Cyber-attacks can, in some ways, be more harmful and yet most organisations are not fully equipped to deal with them.
It is also imperative that businesses look at their internal security protection and information governance policies. Organisations have to be aware of internal security threats – our research ‘The Enemy Within’ reported that 58 per cent of data security incidents come from across the extended enterprise –there are more cyber security challenges from within than without. And EU fines are on the way, meaning that companies could be fined five per cent of their global turnover in the event of a serious data breach. For many organisations, five per cent could turn into a ‘company killer’ amount of money, from which there would be no return – other than being sold. So, if you don’t have your critical information secure within your business – now is the time to do it and get serious about security, or risk the inevitable fallout.
Heath Davies is Chief Executive Clearswift.
Share this story