Target disclosed earlier today that it experienced a major security breach that could compromise upwards of 40 million credit card and debit card accounts. Between November 27 and December 15, cybercriminals appear to have broken through the data protection measures in the company’s point-of-sale systems across the entire retail chain; with the exception of its online catalog operations. With access to Target customers’ PIN information, thieves could withdraw money from customers’ accounts through an ATM, make unauthorized online purchases or create counterfeit credit cards.
The Target breach is just the latest in a series of publicized security lapses, which includes such well-known players as Barnes & Noble, TJX (parent company of T.J. Maxx and Marshalls), Sony and Adobe. While the size and scope of the crime involving one of North America’s largest retailers seem noteworthy, it is actually quite small when compared to the total annual number of IT security breaches expected to take place by the end of this year. More than 705 million records had already been compromised in the U.S. in 2013 prior to Target’s disclosure, according to the Data Loss DB Open Security Foundation. All of this includes four of the top ten worst cases on record.
Small- to medium-sized businesses (SMBs) often experience the same network and data security lapses as these much larger companies, but those indiscretions and their consequences rarely make the news. For example, Verizon’s Data Breach Investigations Report indicates that SMBs (companies with less than 1,000 employees) were responsible for more than 40 percent of data breaches in 2012. While the breaches may have occurred with smaller organizations, the impact on customers and businesses wasn’t diminished.
Because they often involve credit card information, retailers’ data breaches receive the most attention. But other industries are just as vulnerable to hackers and identity thieves. The Target breach should highlight the need to secure all organizational data and business systems, ensuring that customer, employee and company information are adequately protected. The solution requires improvements and changes to the way businesses collect, store and handle information.
Many SMBs continue to use outdated programs that have not been updated with the latest security measures. But outdated technology is only part of the problem. Employees may accidentally or intentionally fail to follow required security processes or their employer may have failed to properly educate them on the proper procedures.
These are common discussion points in our CompTIA IT Security community, which includes technology business professionals who collaborate and develop initiatives that address a variety of industry-related issues. Several members of our executive board discussed the Target breach and concerns over the growing number of these incidents. Here are a few ideas the business community can use to better address the problem:
- Companies should improve basic network and data security education for employees. Improved education will help employees follow safe procedures when accessing and handling company or client information.
- Companies should develop policies for the acceptable use of computing resources. Every organization should have procedures in place to ensure that information is properly protected. If a business outsources its IT systems support, it must ensure that its provider is following industry best practices.
- Companies should ensure that their IT solution providers have industry-recognized credentials such as the CompTIA Security Trustmark, or professional accreditations for network and data security.
- Companies should advocate that Congress pass a national breach notification law establishing a standard rule to make it easier for businesses to know what to do in the event of a breach and ensure that consumers receive equal protection anywhere in the U.S.
CompTIA offers a wealth of compliance information, professional certifications and IT provider business education programs to help improve knowledge and skills around IT security. Companies don’t have to be CompTIA members to get access to any of these valuable resources or to join our IT Security community. Want to learn more about what CompTIA and our group? Contact Lisa Person at [email protected].
Scott Barlow is vice president of sales and marketing at Reflexion Networks and chair of the CompTIA IT Security community.