Welcome to our fully functional beta site. We welcome all comments
informed!
The Informatica blog - Authored by Claudiu Popa

Could Better Security Compliance Have Helped Target Avoid a Breach?

I was interviewed on the air about the event and hinted that I would have expected other chains to come forward. This was a straightforward skimming attack scaled to enormous proportions, but there's no reason it should be limited to just Target. Hours later, Neiman Marcus, a chain based in Texas, announced that it too had been breached. 24 hours later, Reuters trumpeted the existence of at least 3 more retailers that were in the same boat but whose identities were not disclosed.
 
In a press release and radio interviews, I outlined the benefits of scrutinizing statements and setting up credit monitoring for individuals. Businesses however stand to benefit from having proper security in place. Cameras should monitor all activity around point-of-sale terminals and physical access must be enforced with due care. Customers will likely continue to be victimized for a long time and one of the ways is through phishing (as I wrote in an article called "Millions of Target customers should expect a surprise in their inboxes"). In instances like the Target breach where the malware is installed remotely, controlled centrally and deployed en masse, reliance on anti-malware will not save the day. No self-respecting hacker will ever launch an attack without testing its code against all of the top detection tools. Once tested in a controlled environment against systems of varying resistance to infection, the perpetrator has to eventually ship it. Those attacks can only be thwarted by layered defenses working effectively to block, detect and react to attacks. It can be done ad-hoc, just not well. For that, retailers will need to up their game and adopt standardized controls and secure processes.
 
But what will really make a difference is the adoption of PCI-DSS 3.0 (and EMV, but I'm already most Canadian retailers are already using chip-and-pin technology.). The updated industry standard clarifies security best practices and helps organizations apply defense-in-depth for layered protection from the ground up. By following its guidance, companies of all sizes can protect:
 
- their payment devices against tampering
- monitor systems and premises using video cameras
- implement technologies to detect and monitor all suspicious activity
 
Numerous other best practices are specifically laid out, but the dirty little secret of the industry is that up to 36% don't know how they're doing and of those that have gone through an audit, it may have provided insufficient learning or inadequate assessment, leading to a false sense of security.
 
Target had such a false sense of security and it passed it on to its customers (or 'guests' as it calls them). The oversight will amount to a drop of 2.5%-to-6% in sales for the critical holiday season. But it hopefully  taught the company a valuable lesson: don't rest on your laurels. Test your security continuously if you want to have a chance to keep up with the bad guys.
 
If you'd like to get started, request Informatica's Assurance Pack and discover where you stand vis-a-vis PCI-DSS 3.0 compliance, CASL (Canada's Anti-Spam Law) and PIPEDA (Personal Information Protection and Electronic Documents Act). You may be surprised at what you find. Email Assurance@SecurityandPrivacy.ca to order a PCI-DSS 3.0 self-assessment or the whole Assurance Pack. You will definitely find it a worthwhile exercise.

In the early 1920s, the Enigma machine was a portable encryption machine with rotor scramblers used for encoding and decoding confidential messages....
Bleeding hearts unite, the OpenSSL Heartbleed bug threatens to impact user privacy and business security online. There's a new security vulnerability in town. It's not even that new, we just didn't know about it until now. But it's a whopper and it threatens to i...
Independent risk assessments are the most basic best practice in business.Security is about risk. And risk is about numbers. Given the high probability of suffering data security and privacy breaches, is it any wonder compan...
Netflix just the latest brand used in wave of phone text support fraudEver wonder what the use of stealing millions of email addresses is? All those often downplayed, 'low sensitivity' data breaches have massive potent...
Layered SecurityI'm often surprised at the public's disappointment with the realization that security processes are not directly analogous to the medical notion of im...
Target breach will have serious consequencesThis past Christmas season hasn't been kind to the Target chain of retail stores nor to its brand. A brazen attack took place in December that affecte...

Welcome to Informatica

Be Secure.

Be Trusted.

Follow us on