Verified Document

Cyber Security Research Paper

Fundamental Challenges With respect to cybersecurity, there are two fundamental challenges – technological and human. On the technology side, many firms underinvest in cybersecurity, for whatever reason. It can be difficult to keep up with evolving threats, such as new ransomware, and companies that lack modern cybersecurity technology are especially vulnerable. In particular, companies are often keen to adopt new technologies – today cloud computing and the use of personal mobile devices for work purposes – without adequately investing in securing those new technologies. Many companies with in-house teams are ill-equipped and many smaller companies are either unwilling or unable to invest in external security solutions (Security Magazine, 2016).

The other challenge is human in nature. Human beings are typically the weakest link in cybersecurity at the average organization. The weakness often manifests in the form of poor password hygiene (Majumdar, 2017), but it can also manifest in other ways as well. Winnefield et al (2015) point out some other human issues – failing to patch vulnerabilities in legacy systems, executives not making the right decision when hacking is detected, violations of standard procedures and misconfiguring settings are all examples of human errors that can lead to cybersecurity breaches, even when the security stack is sufficient.

Target

The case highlights several errors that Target made when handling this breach. It had set up a sophisticated security network that detected the breach almost immediately. The red flag that Target overlooked was literally a red flag – FireEye flagged the malware when it arrived in Target's system and began collecting data. That first red flag was thrown up on November 30th, and there was another red flag on December 2nd when the malware was installed a second time. The case claims that there were as many as five such red flags that were thrown up. Any one of these red flags should have triggered either an automatic or a manual response from the Target security team.

The first issue is that Target had turned off the automated system that could have deleted the malware upon detection. This was pure hubris on the part of the company's security team. The case frames it thus: "Typically, as a security team, you want to have that last decision point...

Parts of this document are hidden

View Full Document
svg-one

And that's when the importance of human decision-making comes more into play.
So the second issue is that human decision-making. The exact nature of the human error is not clear from the case, but there are a couple of options. The first is that the security team simply chose to ignore the alarms. It does not appear that there is any meaningful basis for doing so, but this could have happened. The other is that the security team did not have the authority to act directly on the alarms, but rather had to escalate the alarms up the chain of command, and it is at higher levels that the inaction occurred. That seems like poor organization structure, but could have been the case. The company's CIO at the time, Beth Jacobs, resigned shortly after the incident, suggesting that this might have been the case (Biggs, 2014).

It is my sense that there were organizational structure issues that contributed to the non-reaction to the breach. It is assumed that there was a communication trail proving that people on the security team escalated the issue. It probably escalated to the executive level. At that level, someone either did not understand the threat, or failed to take it seriously. Or possible was concerned with the company's reputation if news of the threat got out, and hoped that it would go away. Whatever the reason, the inaction was inexcusable, and most of the damage could have been prevented.

Reaction

But this also calls into question the security team itself. If the security team in Minneapolis was aware of the hack, and their only response was to escalate, how could that be? Is this is situation where the organizational culture is so conservative that the company could only escalate to a higher level, and when the higher level did nothing that the security team would accept that response. The security team should have been empowered to address the hack themselves – especially if they were going to turn off the FireEye feature that allowed them to delete the malware immediately. Even if they did not have formal authority, they had to know that the right thing to do would be to delete the files manually – the risk of punishment by their superiors would…

Sources used in this document:

References

Biggs, J. (2014) Target knew about credit card hack for 12 days before reacting. TechCrunch. Retrieved November 19, 2017 from https://techcrunch.com/2014/03/13/target-knew-about-credit-card-hack-for-12-days-before-reacting/

Kraemer, S., Carayon, P. & Clem, J. (2009). Human and organizational factors in computer and information security: Pathways to vulnerabilities. Computers & Security. Vol. 2009, 1-9.

Majumdar, R. (2017) Poor password hygiene makes you a soft target for hackers. Smart Investor. Retrieved November 19, 2017 from http://smartinvestor.business-standard.com/pf/Pfnews-479754-Pfnewsdet-Poor_password_hygiene_makes_you_a_soft_target_for_hackers.htm#.WhI4AXlrzIU

Security Magazine (2016) Companies still lag in cybersecurity readiness. Security Magazine. Retrieved November 19, 2017 from https://www.securitymagazine.com/articles/87146-companies-still-lag-in-cybersecurity-readiness

Winnefield, J., Kirchhoff, C. & Upton, D. (2015) Cybersecurity's human factor: Lessons from the Pentagon. Harvard Business Review. Retrieved November 19, 2017 from https://hbr.org/2015/09/cybersecuritys-human-factor-lessons-from-the-pentagon


Cite this Document:
Copy Bibliography Citation

Sign Up for Unlimited Study Help

Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.

Get Started Now