Q: Can you tell us what you remember about when the Target hack occurred? As an IT professional, what was your reaction? As a consumer, what was your reaction?
Charles: “I think I remember the first time I heard about it, and the big deal was that it was the largest breach yet, up to that point in time. That really got an awful lot of attention. It happened in a retail setting, where normal, everyday people were being affected. You know, it wasn’t government to government high crime; it really was the store down the street, which was very different from a lot of breaches that had happened prior, especially to that scale.
I know as an IT provider, I was mostly caught by the fact that it was a third party contractor who was the access point. When we first heard about the breach, I thought that someone had attacked Target directly, but it was actually pivoted through a third party, which changes the concerns you have. It’s why we have to be very careful about who we connect to, how we connect, and the systems that we build.
And as a consumer, I just remember being concerned that my credit card was among what was lost and wondering if I was going to lose data. I remember wondering what the impact of that event would be—so many people having to get new cards and having issues at that time of the year – the holidays – when everyone really wants to be able to access their money easily.”
Q: When incidents like the Target hack occur, how do you go about researching the security issues surrounding the occurrence, and how do you then reconcile that with our current security protocols?
Charles: “Well, because things like this happen, I pay attention to many sources. I certainly watch the general news to see what’s happening in the world, but mostly, I keep up with well-curated sources of information from our specific industry. Everything from some educational institutions that put out daily security podcasts, to information from many of the vendors we work with, to worldwide communities that we’re members of where people can share industry-related information. We follow those information sources closely, looking for issues, generally with the intent to catch whatever is going on before it can even become a headline-worthy situation. We’ll often hear of security problems long before they’re in the papers and in the news. Of course, we keep up with the general news because we know that not everyone has access to the kinds of information that we have access to, so it helps us communicate better with our clients and our communities if we’re aware of the information they might already have.
And we always look at these things so that we can adjust what we’re doing in response. Sometimes security issues arise that require an immediate technical response to guard against that threat. If there’s a known security vulnerability that has a patch or a mitigation, we amend that as rapidly as we can. But on the other side of it, sometimes there are trends or gradual shifts in cybercrime. So we monitor to see if attackers are changing the way they attack so that we can adjust our defensive structures to address that.”
Q: I think we can agree that the majority of businesses (especially those that we work with) relate more to the contractors and the drop points in the Target hack than they relate to Target. What advice do you have for small or medium businesses regarding their security? Do they need the same security as giant corporations like Target?
Charles: “I think probably the biggest lesson to learn is that anyone who is connected to the internet or has data to protect has something of value. They may not have the Fort Knox of money, and they may not have the largescale transactions of a Target, but they have something that criminals do want. So while the scale of the issues is not the same, the concern for security needs to be much higher than most small businesses have. Small businesses are vulnerable, and there are attackers who are just as happy to hit a local mom-and-pop with ransomware as they are to hit a large company. Now while most of our clients would probably relate a little more to the contractor and drop points, the one thing that everyone has to realize is that we all face the same attackers as Target does. Target might have a bigger front door that’s being attacked, but those same crimes are being committed against little businesses that we might work with. It’s important to know that the attackers don’t care who you are. They are happy to attack whoever and whatever, whether you’re Target or a local shop. So while a small business doesn’t need the same exact security as a big corporation like Target, they need to realize they face the same threats. So maybe Target’s anti-malware defenses are more complex and expensive, but small businesses still need to protect against malware. And maybe Target has vastly more complex infrastructures, but small businesses still need segmented networks.”