This past weekend was a reminder of why companies need to focus more of their efforts on protecting the resiliency of their environments – even if those investments come at the expense of data protection.
On both Saturday and Sunday, news reports and Twitter posts were trending with photos of Target stores full of customers standing in line because the point of sale systems were unable to process credit card transactions. The outage on Saturday was reportedly 2-hours long, causing customers to abandon shopping carts full of products they were ready to purchase.
Source: Chris Walton, former VP Store of the Future @ Target. @OmniTalk
I’ll admit, my patience for in-store shopping is fairly limited and I only go to Target a few times a year, so this outage had no personal impact to me. But upon hearing the news reports, I quickly contrasted this weekend’s outage to Target’s security breach of 2013 which has been a major case study ever since for security operations. Millions of credit cards were stolen because Target allowed a third-party to have unfettered network access to its stores and its operations team missed key security alerts. Ultimately, Target reported that the breach cost them $148m. And, while that breach made the headlines because of its size – it did not result in a long-term impact to Target’s sales or operations.
When speaking on cyber resiliency, I often ask the audience to raise their hand if they had their credit card information stolen in the last two years. Nearly every hand is raised. Next, I ask the audience to keep their hand up if they lost any money and typically every hand goes down. I usually then ask attendees to raise their hand if they signed up for the free credit monitoring offered as part of a breach and, only a handful acknowledge that they did. Consumers have become numb to data loss. The personal impact to them is usually negligible, if any. Typically, they find out there was a breach when they get an alert on their phone that their credit card company detected fraudulent activity and they are being sent a new card. With many card issues and retailers collaborating on card number updating services, the biggest frustration of credit card fraud for most customers – changing their credit card on all of their accounts and bill payments – is now taken care of automatically.
If Target announced another security breach in 2019 like they did in 2013 I would predict it would be a non-issue for most of its customers because there is no real impact to them. But, compare that to an issue, like this weekend, where Target is unable to process transactions – then people are impacted because they are frustrated that their time is being wasted and that they were unable to go home with the goods they intended to purchase. In this case, the Target outage reportedly was not due to a security breach but an issue of connectivity with its payment card processor, but the point is the same. For most consumers, data loss is a non-issue – but an event that keeps a company from providing its core service is impactful to the brand and to financial results.
In our experience, helping companies recover from security breaches and the monetization of availability is the primary action of threat actor these days. These actors take systems hostage until a ransom is paid – knowing that the organization cannot recover quickly unless they pay the ransom. Strack & Van, a grocery store chain in Northwest Indiana, experienced this very issue when malware encrypted their point of sale systems, keeping cashiers from processing any transactions at half their stores during the days leading up to Thanksgiving.
No doubt, this past weekend many of Target’s customers went to competitors down the street or chose to purchase products via Amazon. Due to its timing before a major holiday, certainly Strack & Van customers went to a nearby grocery store. Between the emotions of being frustrated because time was wasted and then experiencing alternatives, some percentage of customers may have been permanently lost during these outages.
Executives should be asking the following questions:
How resilient is my company to a cyberattack?
Can my team quickly identify an issue?
When was my incident response plan tested?
Do we have the right technologies and processes in place to recovery quickly from an attack?
Do I have the right partners ready to assist with us when we need?
Learn more about how to adopt a cyber resiliency mindset and lead the culture change within your organization by downloading our latest white paper, “The Cyber Resiliency Mandate: Preventing Business Disruption in an Age of Cyberattacks”.