Target's IT, security scrutiny could spread

Target's IT, security scrutiny could spread

Summary: All companies may have to revisit their IT spending and security practices following the Target data breach. Does anyone really believe that Target was the only company that had lax practices.

SHARE:
TOPICS: Security, CXO
8

Target is under fire from all corners---customers, shareholders and the press---and one side effect is that companies going forward will be itching to show they aren't underinvesting in information technology and security.

The latest pummeling of Target came on Thursday courtesy of a Bloomberg Businessweek report. The gist: Target ignored warnings from security vendor FireEye and allowed a hack to occurs that could have been prevented. Forty million accounts were impacted by a data breach and then Target disclosed another 70 million were also at risk.

MasterCard, Visa form group to push better payment security

Businessweek portrays Target as a company that could have stopped the breach without human intervention, but turned a key FireEye feature off.

In a nutshell, Target management is on the firing line. CEO Gregg Steinhafel is facing declining sales, competition from Amazon, the loss of customer trust and multiple miscues. CIO Beth Jacob has resigned and Target plans to replace her and add a chief compliance officer and chief information security officer.

Target's master plan is to restore trust by becoming a model of information security best practices. Target doesn't have a choice, but the reports like the one from Businessweek scream "too little too late."

Wall Street analysts seem to be worrying about the costs of Target's newfound security and IT push. Cowen analyst Faye Landes said in a research note:

It is conceivable that the steps that the new CIO, COO and Chief Security Information officer advise will be costly, as many sources have indicated to us that they believe that Target has been underinvesting in IT.

Of course, Target will have to ramp technology and security spending. There's little alternative. Everything Target does will be scrutinized.

In fact, it's not much of a stretch to project that Target's IT spending scrutiny will spread to other publicly held companies. Should Target take a hit due to reputation, falling sales or lawsuits, every company will have to revisit the amount it spends on security and technology.

Does anyone really believe that Target was the worst at IT in the retail sector? Is Target really the only company that failed to heed security warnings?

Overall, this re-evaluation can be healthy---especially since the scrutiny is going to be short-lived. Even Target's woes will blow over at some point.

Until then companies won't want to be viewed as IT spending and security penny pinchers.

Related: Visa CFO: 'Quite a bit of investment' needed to install chip technology | Visa CEO: We need better security, EMV chips, tokens | Target CIO Jacob resigns following data breach |  Target's data breach tab mostly covered by insurance so far | How hackers stole millions of credit card records from Target | Target hackers hit air-conditioning firm first as a way in | Target's data breach: It gets worse | Many times bitten, retailers scramble to prevent another Target-like meltdown 

Topics: Security, CXO

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • One of the corporate problems with security

    One of the problems many companies have with their security program is that those responsible for security and IT audit report up thru the CIO. With pressures to fix systems and roll out new technologies, security and audit suggestions are often viewed as roadblocks to productivity and the pressure from the C level suite to produce is a deterent to following those suggestions. It's not that someone within the organization doesn't know what best security practices are, but that resources such at time, people and budget cannot be afforded to follow best practices.

    The change in attitude needs to happen at the top so that IT can be comfortable in making security recommendations and changes that can better protect the organization. Budget spend and security / audit organization within the company hierarchy are two of the best ways to attack the issue.
    Compliance_guy
  • More hindsight analysis

    I read the Businessweek article and I'm very skeptical of its conclusions. For one thing, as is the case with a lot of alarm systems, be it for cars or hospital moniters, the FireEye system may have generated too many false alarms, ending with it being turned off or ignored. Target updated its entire IT system over a three year period ending in 2012, from servers to registers, and IT projects of that magnitude statistically are virtually never trouble or glitch-free, but Target seemed to have implemented it well enough to make not just themselves feel good, but a certain vendor as well: http://www.microsoft.com/en-us/news/press/2011/mar11/03-21targetpr.aspx

    Also, Target had a very well-credentialed IT security force, so looking at the overall picture, dubious lawsuits, second-guesding, and "official" investigations aside, I suspect that the real truth is that Target actually had a much better than average security system (if conventional) for a company of its size and type, and that was still no match for the skill level of the better hacking groups these days. And that should be the real takeaway from all this.
    JustCallMeBC
  • of course not

    every organization that runs any version of windows has thrown every ounce of security consciousness to the wind.

    every business that runs windows is screwing their customer. every POS system that collects CC info is compromised if it runs windows. Every ATM can be considered compromised, PERIOD.
    GrabBoyd
    • GrabBoyd take a hike

      Your comment is nothing more than BS. If you are an MS hater don't bother posting, since your comments are worthless. Provide a suitable alternative to MS software, which you can't do.
      rollguy
  • Meaning

    I suspect that Target like all very large organizations was uneven in its approach to IT security. Some areas are excellent and others are poor. Target is ultimately responsible but how much of the blame is internal to Target (bad system design, bad internal practices, refusal to spend money, etc) and is external to manufacturers, consultants (poor software design, undocumented access points, badly thought installation wizards/instructions, etc.) . Often device manufacturers assume the person actually installing the device is extremely knowledgeable about proper network settings. In reality, the installer may be an electrician for example who is not knowledgeable about computer network settings. Also, when retrofitting a building it is well known the design drawings have errors and often the installers have to generate "as built" drawings showing what they think is the proper location of wiring and piping. So in a store retrofit it is possible for someone miswire something, get working (sort of), and never know they inadvertently created a security hole.
    Linux_Lurker
    • Lurker is off course

      Linux_Lurker, what you posted has nothing to do with the Target breach. It was not caused by electrical drawings and modifications, or cable wiring. Hardware did not created the security hole, it was misuse of good software. The software itself did detect the breach, but it was overlooked. Human error.
      rollguy
  • At Least Target has a Strategy

    a week one but it is better than the food cart that's now accepting cards on a "smart" phone or apple device.
    Richardbz
    • WTF are you posting???

      Scatcatpdx, your post makes no sense. So you think Target has a week plan, instead of a permanent one? How about a weak one...however it was not a weak plan, it just wasn't administered properly. What's with the food card and smart phone comment.
      rollguy