Yesterday, Institutional Shareholder Services (ISS), a third-party advisor to Target Corp. investors, recommended ousting Target’s Audit Committee because they failed to do appropriate risk management, resulting in a breach of customer data. According to Twin Cities Business Magazine, ISS stated that “… in light of the company’s significant exposure to customer credit card information and online retailing, these committees should have been aware of, and more closely monitoring, the possibility of theft of sensitive information, especially since it involves shoppers and the communities in which the company operates, as well as the overall impact on brand reputation and brand value.” This suggests a fundamental lack of understanding of both the nature of the breach and who should be held responsible for the outcome.
First, let's understand what really happened here: Target updated their point of sale (POS) systems before the holiday season. There was a known vulnerability in those POS systems that let credit card data travel between the POS system and the register before it was encrypted and sent off to the clearinghouse for approval. Target’s technology team was warned of the vulnerability and DECIDED that the risk was worth accepting – not the board, not the auditors; it was the people involved in the project who accepted the risk of losing 70 million records. When departments accept that level of risk, they in essence, end the conversation. The audit committee and board of directors would be none the wiser. When was the last time you notified your board about how you were disposing of hard drives?
The Internet of Things (IoT) is a hot phrase right now, and every vendor is talking about the huge potential of continual connectivity and interaction with smart devices to optimize the asset and transform the customer experience. The potential is undeniably huge and developers are right to be excited, but it’s not all "hugs and puppies."
As S&R professionals, we have to balance the excitement of innovation with pragmatism and caution, and the IoT is a turmoil of innovation right now. With so much change, it can be difficult to focus in on the key issues, so let's choose an area where there has been a lot of discussion and hype for years (or even decades) but not much in the way of actual consumer adoption; let's use the "connected car" as an example to crystalize a few of the risk scenarios.
Picture courtesy of Dave Gray on Flikr
Today’s cars operate on computers, and mechanical functionality breaks down when the computer is not there to manage it. It’s not quite an aerodynamically unstable plane, such as the B-2, or indeed most modern fighter jets, which are kept in the sky by instantaneous computer feedback and corrections, but it’s not dissimilar. As we move toward the connected car, think through these scenarios:
On May 19, 2014, Google announced that it is acquiring containerization and dual persona vendor Divide. Divide's technology is designed to create a security and user interface division between the personal and the enterprise content, applications, and data on a single mobile device. This model meets the goal of separating the highly sensitive work data from the games and other potentially malicious content of a consumer nature. The big question is what is Google going to do now that it owns a technology leading containerizaiton play.
Selling Divide as a standalone solution isn't going to be lucrative enough, in the long term, to make the acquisition worthwhile. It makes a whole lot of sense for Google to embed Divide into the Android operating system. Just as rising tides raise all ships, containerization in Android will help the entire Android ecosystem shed the market perception of a technology that isn't quite yet enterprise appropriate. If this acquisition is any indication, Google has just put some power behind its push into the enterprise market and I don't expect it to subside any time soon.
All enterprises and vendors in the mobile security space should reconsider their future purchases and road maps based on this acquisition. Even if you are creating or buying mobile security technologies that don't play at the application layer, mobile security technologies are inseparably intertwined and this acquisition will have ripple effects that must be considered.
We recently published part 1 of a new series designed to help organizations build resiliency against targeted attacks. In the spirit of Maslow, we designed our Targeted-Attack Hierarchy Of Needs. One factor that significantly drove the tone and direction of this research was Forrester client inquiries and consulting. Many organizations were looking for a malware sandbox to check off their targeted attack/advanced persistent threat/advanced threat protection/insert buzzword needs. Malware analysis has a role in enterprise defense, but focusing exclusively on it is a myopic approach to addressing the problem.
Part 1 of the research is designed to help organizations broaden their perspective and lay the foundation for a resilient security program. Part 2 (currently writing at a non George R.R. Martin pace) will move beyond the basics and address strategies for detecting and responding to advanced adversaries. Here is a preview of the research and the six needs we identified:
If you have implemented or used either application wrapping or containerization technologies, please COMPLETE THIS SURVEY.
Application wrapping versus containerization: Which technology provides better security to an enterprise mobile deployment? What are the use cases for each technology, and which technology has a longer shelf life when it comes to being the de facto standard for enterprise mobile security? Are there times when containerization provides a better user experience than application wrapping? And more simply speaking . . . what the heck is the difference between these two technologies, and which one should you purchase?
In the sport of boxing, "the tale of the tape" is a term used to describe a comparison between two fighters. Typically, this comparison includes physical measurements of each fighter as taken by a tape measure before the bout, thus the term "the tale of the tape." I'm currently conducting research for a "tale of the tape" report between mobile containerization technologies and mobile application wrapping. There has been a significant amount of discussion lately regarding which of these technologies is better suited for enterprise deployment. In order to settle this dispute, I'm going to get out the virtual tape measure and analyze the fighters!
This morning, BlackBerry announced the release of the BlackBerry Z3 Jakarta Edition. This new device is targeting the lower end of the market in Indonesia with lessened technical specifications and a reduced price point. It is unclear if the new device will be successful with the Southeast Asian buyer; however, I don't think it matters much to the US-based enterprise.
In the United States, BlackBerry has lost its hardware brand cachet. Over the last five fiscal quarters, BlackBerry total revenue has decreased by 64% from $2.7B to $976M. If we break out the revenue into separate streams -- hardware, software, and services -- we see that all three segments slowed in that same time period. The hardware revenue stream continues to be the boat anchor that is pulling down the other revenue segment, with a loss of 78%, while the software revenue stream only lost 15%.
It’s no longer just your marketing team that uses social media for business purposes. Employees across the entire organization use social media for personal and professional reasons, leveraging social to drive real business for your company. The opportunities to enhance your brand, deepen customer relationships, and glean new customer insights are all too valuable to ignore -- but the risks are real too.
Moreover, the legal and regulatory landscape is evolving rapidly, complicating the ways in which you can manage social media and the myriad reputational, security, and privacy risks (among others) that expose your organization. To take advantage of these opportunities and still protect your company, you need new tools and technology to do this effectively.
On May 5, 2014, Target announced the resignation of its CEO, Gregg Steinhafel, in large part because of the massive and embarrassing customer data breach that occurred just before the 2013 U.S. holiday season kicked into high gear. After a security breach or incident, the CISO (or whoever is in charge of security) or the CIO, or both, are usually axed. Someone’s head has to roll. But the resignation of the CEO is unusual, and I believe this marks an important turning point in the visibility, prioritization, importance, and funding of information security. It’s an indication of just how much:
Security directly affects the top and bottom line. Early estimates of the cost of Target's 2013 holiday security breach indicate a potential customer churn of 1% to 5%, representing anywhere from $30 million to $150 million in lost net income. Target's stock fell 11% after it disclosed the breach in mid-December, but investors pushed shares up nearly 7% on the news of recovering sales. In February 2014, the company reported a 46% decline in profits due to the security breach.
Poor security will tank your reputation. The last thing Target needed was to be a permanent fixture of the 24-hour news cycle during the holiday season. Sure, like other breached companies, Target’s reputation will likely bounce back but it will take a lot of communication, investment, and other efforts to regain customer trust. The company announced last week that it will spend $100 million to adopt chip-and-PIN technology.