Fundamental Challenges
With respect to cybersecurity, there are two fundamental challenges – technological and human. On the technology side, many firms underinvest in cybersecurity, for whatever reason. It can be difficult to keep up with evolving threats, such as new ransomware, and companies that lack modern cybersecurity technology are especially vulnerable. In particular, companies are often keen to adopt new technologies – today cloud computing and the use of personal mobile devices for work purposes – without adequately investing in securing those new technologies. Many companies with in-house teams are ill-equipped and many smaller companies are either unwilling or unable to invest in external security solutions (Security Magazine, 2016).
The other challenge is human in nature. Human beings are typically the weakest link in cybersecurity at the average organization. The weakness often manifests in the form of poor password hygiene (Majumdar, 2017), but it can also manifest in other ways as well. Winnefield et al (2015) point out some other human issues – failing to patch vulnerabilities in legacy systems, executives not making the right decision when hacking is detected, violations of standard procedures and misconfiguring settings are all examples of human errors that can lead to cybersecurity breaches, even when the security stack is sufficient.
Target
The case highlights several errors that Target made when handling this breach. It had set up a sophisticated security network that detected the breach almost immediately. The red flag that Target overlooked was literally a red flag – FireEye flagged the malware when it arrived in Target's system and began collecting data. That first red flag was thrown up on November 30th, and there was another red flag on December 2nd when the malware was installed a second time. The case claims that there were as many as five such red flags that were thrown up. Any one of these red flags should have triggered either an automatic or a manual response from the Target security team.
The first issue is that Target had turned off the automated system that could have deleted the malware upon detection. This was pure hubris on the part of the company's security team. The case frames it thus: "Typically, as a security team, you want to have that last decision point...
References
Biggs, J. (2014) Target knew about credit card hack for 12 days before reacting. TechCrunch. Retrieved November 19, 2017 from https://techcrunch.com/2014/03/13/target-knew-about-credit-card-hack-for-12-days-before-reacting/
Kraemer, S., Carayon, P. & Clem, J. (2009). Human and organizational factors in computer and information security: Pathways to vulnerabilities. Computers & Security. Vol. 2009, 1-9.
Majumdar, R. (2017) Poor password hygiene makes you a soft target for hackers. Smart Investor. Retrieved November 19, 2017 from http://smartinvestor.business-standard.com/pf/Pfnews-479754-Pfnewsdet-Poor_password_hygiene_makes_you_a_soft_target_for_hackers.htm#.WhI4AXlrzIU
Security Magazine (2016) Companies still lag in cybersecurity readiness. Security Magazine. Retrieved November 19, 2017 from https://www.securitymagazine.com/articles/87146-companies-still-lag-in-cybersecurity-readiness
Winnefield, J., Kirchhoff, C. & Upton, D. (2015) Cybersecurity's human factor: Lessons from the Pentagon. Harvard Business Review. Retrieved November 19, 2017 from https://hbr.org/2015/09/cybersecuritys-human-factor-lessons-from-the-pentagon
Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.
Get Started Now