In mid-November last year, the retail giant Target experienced a security breach where customers’ credit card information was stolen. At first it was thought that 40 million users had been affected but by January 2014, those numbers skyrocketed to a stunning 100 million.
What emerged was the story of hackers who had appeared as “the good guys” in order to harvest as much information as they could from Target’s network. Not only did they steal sales data, but names, email addresses, home addresses and phone numbers.
And they didn’t just hit the network once. Data was harvested almost daily over the course of several weeks. Malicious software was installed on Target’s point-of-sale (POS) devices located at the checkout point. But the hackers also made use of Port 80, which is the route used for Internet browsing traffic.
The hackers used this port as a way to bypass software firewalls and roam freely within the network. As you can imagine, this is every IT department’s worst nightmare.
George Photakis, a former CIO of Anchor Hocking, said, “A big problem with the Target breach was that customer credit card information was stored on their servers. Which is amazing.” Photakis added that most companies use a third-party credit card administrator and it is the administrator that verifies the credit card information in order to prove it’s a valid transaction.
He added, “Most companies only store the verification codes and the third-party administrator’s keep the confidential account information. I can’t believe that a company as large as Target would not do this. I’ve never seen anything like it.”
It’s not just larger organizations that are at risk. According to Verizon’s Data Breach Investigation Report 2013, 75% of security breaches happen to small businesses.
What could Target have done to prevent this massive security breach? And more importantly, what can you do?
1. Employee awareness: It is extremely important to have an ongoing security education program for your employees that trains them to use strong passwords and avoid dangerous links, email phishing experiments, and attachments that may contain malware.
Your employees are like a virtual firewall. Unfortunately, they can also often be manipulated by a hacker. The adage, “trust but verify” is vital to remember. Many times a hacker will call an employee and appear as a fellow worker or person of authority. Very often, an employee will too easily trust someone and give them sensitive information, such as a password, in order to “help” someone. Only a consistent training program will remind employees that it is imperative to keep such information secure by never sharing it with someone whose identity they can’t verify.
2. Know your data and limit access: Another important step is to know who exactly has access to confidential data. Credentials should be limited. Your employees should know where confidential data is stored and that it’s in a secure location. Keep a record of the employees who have access.
Also, if you plan on terminating an employee, it is wise to limit their access before the termination occurs to prevent insider threats, where a disgruntled employee takes advantage of their access codes in order to damage the network.
3. Track laptops and mobile devices: Employees often forget the risk they take when transporting company electronics such as laptops and tablets. You should keep a record of all the devices your employees use and verify their whereabouts at all times.This is another opportunity to train your employees to secure your company’s confidential data by requiring a frequently updated tracking report as a means to prevent potential data breaches. There have been many times when an employee carelessly left a company laptop in their car and it was stolen. Use security tokens to ensure that only those with the right credentials are able to access sensitive data.
4. Keep your office and work areas secure: Your servers should be in a secure area with limited traffic. Locked doors or keypad entries will help limit the number of employees who can access your physical assets. Many hackers have pretended to be service personnel in order to get by a company’s gatekeepers, such as the reception desk. Train your employees to always be on the lookout for someone who doesn’t look like they belong in the area or an unfamiliar face.
5. Defend and protect your website: Install anti-virus software on all of your servers and demonstrate that you are trustworthy by using trustmarks on your website. Make sure your employees are trained to recognize an alert and have a standard procedure for contacting the IT department if a threat is detected. Some software can work in the background of the end-user’s desktop so they’re not alerted but instead, the system administrator receives a notification. As a result, employees aren’t panicked and it can decrease the amount of help desk calls.
6. Develop strong security policies: Many businesses don’t think of security plans until a breach happens. This is a time when clear heads are needed but instead, confusion reigns as personnel use precious time to figure out who to call. A business should develop and create a well-planned policy that includes device use and the best way to dispose of secure information. When it’s time to retire devices from your company’s list of supplies, you need to wipe them clean. Make sure to reformat hard drives or USB keys before getting rid of them. Also have paper shredders available so employees can safely dispose of any sensitive documents. Some companies call a professional shredding company that brings out a vehicle to shred papers on-site.
7. Eliminate insider threats: You can minimize risk by running a thorough background check on employee candidates before you hire them. Especially pay attention to any stories you can find about someone being disgruntled and taking any opportunity to retaliate against a former employer. It’s difficult to foresee every potential threat but the more areas of concern you can uncover in a potential hire, the better.
Taking these steps will help you greatly reduce your risks of losing sensitive data. To go deeper with your security, look into partnering with an information security vendor who understands your business. They will be able to reveal areas of vulnerability you may have missed.
Remember, it’s not just your data you’re protecting. It’s your reputation. More customers and clients are concerned about their sensitive data remaining secure. Because if you lose their confidential information, you’ve lost their trust.
And that’s hard to regain, once you’ve become a “Target.”