Bloomberg Businessweek had a headline this morning: "Missed Alarms and 40 Million Stolen Credit Cards Numbers: How Target Blew It."
Their story investigated the Target hack, where up to 70 million people had their credit card numbers stolen from the retailer's servers. One of the nuggets the article uncovered: The company had the latest, greatest software to protect them from hackers -- but when the software set off an alarm, Target ignored it.
It sounds sort of crazy, right? The burglar alarm goes off and they hit snooze?
Anthony Di Bello of cybersecurity firm Guidance Software says it’s more complicated than that. He says computer networks at large retailers and financial organizations are constantly getting hit with malware.
“There’s an indication that this isn’t just a small number -- a 100 or 200 -- this is 10,000-20,000 attempts against a network every day,” he says.
And an alarm goes off every time.
Sometimes it’s clear that the hack is serious. But there are a lot of false alarms. For example, when a company installs new cybersecurity software, it can take months of fine tuning to make sure it works well with others, says Cameron Camp, a cybersecurity researcher at ESET.
The malware detection tool that first sounded the alarm was installed by Target six months before the hack, according to Bloomberg. Camp says the bigger problem is that when companies aren’t sure how serious an alarm is, they aren’t structured to make decisions quickly.
“You have silos: Over here is the C-suite, and over here’s the IT guys, and once a week you have a meeting,” Camp says.
He says most companies don’t have a Chief Information Security Officer in the C-suite and there isn’t a direct chain of command when urgent cybersecurity issues come up. That’s because, traditionally, the IT department was thought of as a "glorified garage" or "where the mechanics kept the engines running."
Of course technology’s role in business has changed dramatically. But the corporate structure hasn’t caught up. Camp expects that articles like Bloomberg’s Businessweek will help bring that change about.
“Security is a business imperative now because it costs you a lot of money when it’s done wrong for whatever reason,” he says.