The retailer’s security team ignored warnings, not yet trusting a new detection system, until federal officials finally alerted them. Once the breach was revealed, Target’s quarterly profits dropped 46 percent, its CEO resigned and the company promised to spend tens of millions of dollars beefing up security.
At an Austin cybersecurity conference Thursday, experts cited the Target example as they encouraged Austin businesses — large and small — to use newly issued guidelines to protect themselves and their customers.
Target is a textbook case for another reason: Except for the size of the breach, it’s not unique.
“It’s not if you become a victim of cybercrime,” said Mark Sletto, a special agent in the Austin office of the U.S. Secret Service. “It’s when.”
The U.S. Chamber of Commerce, along with its local counterpart, invited officials with the White House, Homeland Security, the FBI and Secret Service to join business experts to discuss a voluntary “framework” for cybersecurity. The industry-vetted guidelines are the result of a 2013 presidential directive that the chamber is supporting as an alternative to government regulations.
It might be voluntary, but Matthew Scholl, a computer security expert with the National Institute of Standards and Technology, warned, “If you don’t do it, you are putting yourself at business risk.”
Alan Daines, chief information security officer for Round Rock-based Dell Inc., said the best practices in the “framework” helps companies of all sizes to assess where they are and where they need to be on the security front.
“Since the Target breach, I can’t tell you the number of times I’ve been asked, ‘Are we vulnerable?’” Daines said.
While large companies have more money and people to address the problem, Daines said cybercrime is a challenge even for large firms.
“Large businesses become so large, it’s hard to get control of your environment,” he said. “We struggled with, ‘How do we know we’re doing everything right?’”
Jenny Menna with the U.S. Department of Homeland Security said the guidelines should help company officials to discuss security issues with everyone from the board room to a company’s supply-chain vendors.
“Adversaries are looking for the easiest way in,” she said.
Brian Engle, chief security information officer for the state of Texas, said too many companies or agencies focus more on protection than detection or response.
Citing the inevitability of attacks, Engle said it’s wrong to consider a breach as the moment of failure. “The failure should be if we can’t respond.”
Matthew Eggers, a security expert with the U.S. Chamber of Commerce, said small firms shouldn’t assume they are too small to be targeted.
He said criminals might only be skimming a few hundred dollars each month from a company’s payroll, but it’s a lucrative crime when spread across thousands of small companies.
Eggers urged companies to keep it simple by focusing on data and devices.
“Think about the information you value and that your customers value,” he said. “There is no silver bullet.”
©2014 Austin American-Statesman, Texas
