I was interviewed on the air about the event and hinted that I would have expected other chains to come forward. This was a straightforward skimming attack scaled to enormous proportions, but there's no reason it should be limited to just Target. Hours later, Neiman Marcus, a chain based in Texas, announced that it too had been breached. 24 hours later, Reuters trumpeted the existence of at least 3 more retailers that were in the same boat but whose identities were not disclosed.
In a press release and radio interviews, I outlined the benefits of scrutinizing statements and setting up credit monitoring for individuals. Businesses however stand to benefit from having proper security in place. Cameras should monitor all activity around point-of-sale terminals and physical access must be enforced with due care. Customers will likely continue to be victimized for a long time and one of the ways is through phishing (as I wrote in an article called "Millions of Target customers should expect a surprise in their inboxes"). In instances like the Target breach where the malware is installed remotely, controlled centrally and deployed en masse, reliance on anti-malware will not save the day. No self-respecting hacker will ever launch an attack without testing its code against all of the top detection tools. Once tested in a controlled environment against systems of varying resistance to infection, the perpetrator has to eventually ship it. Those attacks can only be thwarted by layered defenses working effectively to block, detect and react to attacks. It can be done ad-hoc, just not well. For that, retailers will need to up their game and adopt standardized controls and secure processes.
But what will really make a difference is the adoption of PCI-DSS 3.0 (and EMV, but I'm already most Canadian retailers are already using chip-and-pin technology.). The updated industry standard clarifies security best practices and helps organizations apply defense-in-depth for layered protection from the ground up. By following its guidance, companies of all sizes can protect:
- their payment devices against tampering
- monitor systems and premises using video cameras
- implement technologies to detect and monitor all suspicious activity
Numerous other best practices are specifically laid out, but the dirty little secret of the industry is that up to 36% don't know how they're doing and of those that have gone through an audit, it may have provided insufficient learning or inadequate assessment, leading to a false sense of security.
Target had such a false sense of security and it passed it on to its customers (or 'guests' as it calls them). The oversight will amount to a drop of 2.5%-to-6% in sales for the critical holiday season. But it hopefully taught the company a valuable lesson: don't rest on your laurels. Test your security continuously if you want to have a chance to keep up with the bad guys.