What retail executives should do in the post Home Depot/Target breach world
In a race to the bottom, where companies are driving revenue mainly by reducing costs, there is pressure to accept certain risks rather than investing in mitigating them. This attitude is reinforced by typical risk assessment practices that, intentionally or unintentionally, downplay risk. Recent customer credit card breaches have reminded companies of the danger of accepting computer security risks, and of the importance of addressing medium-level risks to their business.
All government organizations and most large private companies periodically seek risk assessments to identify privacy and security risks and suggest ways to mitigate them. This can be an exciting time, when organizations look at their usual operations from a new perspective and consider changes.
With recent news of major customer credit card data breaches at Target and Home Depot, two questions come to mind: What could a threat risk assessment have said about the security risk to major retailers’ cash registers? And what are retailers doing – or not doing –to mitigate their security issues?
Risk assessment and cash register data breaches
If a threat risk assessment was conducted with respect to these major retailers’ cash registers, it would have shown a low to medium level of risk. Factors mitigating risk would be that transmission of credit card information is encrypted, registers’ operating systems and software are initially installed in a secure lab (reducing the risk of tampering), and registers’ security patches are updated somewhat frequently. For these reasons, the risk of the operating system launching an attack on security protocols or harbouring malicious code would have been rated low. Since the registers were presumably equipped with anti-virus software, the possibility of a computer worm infiltrating the machines would have been deemed a low risk. Other risk-mitigating factors would have been automatic security patch management and remote access for IT staff to repair problems in registers. Thus, the overall threat to cash registers would have been low to medium risk.
But what happened? A computer worm was able to infiltrate Home Depot cash registers and steal millions of credit card details, including mine. The attack went on for months, and was only discovered once banks noticed unusual credit card activity.
The importance of mitigating medium level security risks
Should heads roll? The truth is, Home Depot’s risk management practices are well in line with usual corporate practice. In a race to the bottom, where retailers are driving revenue by lowering costs rather than expanding to new markets, security is just one more expense to be minimized. Companies tend to act on risk assessments by acting to mitigate high risks, accepting low risks, and placing medium risks on a priority list which really becomes a wish list.
Contributing to this problem, risk consultants or security analysts usually present companies with reports of risk levels calculated based on the assumption that their proposed mitigation plans will be acted upon.
So, for example, if cash registers were at medium risk but could be reduced to low risk by conducting more frequent security checks, the risk would be categorized in the report as low. The reasoning behind this practice is that the organization wants to know that they have a manageable number of risks.
“Talk to me about high risks only” is a standard management direction.
Consultants generally gear their recommendations towards establishing a risk ratio of 5 low risks: 2 medium risks: 1 high risk.
This practice of evaluating risks post-mitigation needs to change. Companies are not going to start thinking about risk differently unless they see their unmitigated risk levels. Even if a company were to implement all of the recommendations of the mitigation plan presented in their risk assessment, working from post-mitigation risk ratings would distort their priorities. For example, more frequent security checks might reduce the security risk of cash registers to low, but if the security technician responsible does not conduct the checks correctly, the risk returns to medium. To truly keep the risk low, either there needs to be a quality assurance plan to monitor the security measures, or the root risk of credit card theft through cash registers needs to be eliminated. If cash registers were classified as low risk, these measures would not likely be a priority.
The Target and Home Depot incidents should remind executives to think twice before saying, “I accept that risk”. Chief financial officers are also reminded of the importance of investing in mitigating medium level risks. Choosing to accept medium risks is a dangerous gamble that can turn out to be extremely costly.
What should retail executives start doing?
- Ask your security analysts for an assessment of risks that your organization faces, with corresponding mitigation plans. Ask for risks to be evaluated without mitigation or calibration.
- Prioritize investment in risk mitigation based on unmitigated risk levels.
Under pressure to reduce costs, many companies have become desensitized to risk. The Target and Home Depot breaches are a wake-up call to retailers and other companies that mitigating medium-level risks is a worthwhile investment.
- Untying the link: Untying the link: Why should retailers change course on linking data? com , September 2014.
- Threat Risk Assessments and Big Data: Time for a New Approach? , Accessed September 2014.
- Lead with Privacy: Three Ways to Make Privacy Work for Your Brand. Transigram.com, Accessed September 2014.
Photo Credit: http://xetobyte.deviantart.com/