November 28, 2014

6 Important Lessons Learned From Target’s 2013 Data Breach

It was right about now a year ago that the massive Target data breach began.

Between November 27 and December 15, online thieves hacked into the discount retailer’s computer system and stole customers’ credit and debit card numbers and names and contact information. When the dust settled and the actual numbers came to light, the company reported that a shocking 110 million customers had been affected.

The dust is still settling.

Target has spent millions of dollars on breach-related costs including free credit screening services to customers whose confidential data may have been exposed. There have been resignations and expectations of lower company earnings - due to more cautious consumer spending. In August, NYtimes.com reported that the costs associated with the data breach had reached $148 million.

Here are important lessons learned from the Target data theft:

Schedule regular security audits. A computer security audit is a systematic, measurable technical assessment of the organization’s security policy. In the months that followed the Target attack, the company admitted that it had missed certain warning signs about potential security gaps. The fourth annual Shred-it Security Tracker showed that while almost half of executives cite frequent audits of their company’s information security procedures and protocols, one in five (19%) indicate their organization has never conducted such an audit.
Invest in protection now – or pay later. The cost of a data breach can be astronomical as is the case with Target. In addition to fines for compliance violations, there may be lawsuits. Furthermore, the Ponemon Institute’s 2014 Cost of Data Breach Study sponsored by IBM, showed that reputation and the loss of customer loyalty does the most damage to the bottom line, and companies must spend heavily to regain their brand image.
Communicate the problem right away. This is number one on the Forbes.com list. Reports show that Target waited days before alerting customers after discovering the problem. One strategic communications expert commented that anytime you are not controlling the release of information, you’re also not controlling – or containing – the message. Here’s more about reputation management.
Put an incident response plan in place. Following Target’s announcement, many customers wanted to talk to someone at the company – and couldn’t get through, etc. An incident response plan provides an organized approach to managing the aftermath of a security breach. According to the Cost of a Data Breach study, it can reduce the cost of a breach significantly. Here are damage control guidelines.
Push for updated security technology. Protection must be current and constantly updated. Industry experts were quick to point out that the U.S. in general lags behind other countries in using antiquated credit card security.
Appoint a CISO. Dealing with a security breach will probably take longer when there isn’t someone in charge of security. The appointment of a Chief Information Security Officer has been shown to help reduce data breaches. It also shows the rest of the organization that security is serious business.

Avoid a data breach in your workplace with this fact sheet on protecting your business.