The Hacker’s Gift That Just Keeps on Giving


The massive breach of customer data at retail giant Target during last year’s holiday shopping season is a gift of bad news that just keeps on giving. The malware that was introduced to Target’s POS system between November and December 2013 affected more than 70 million customers and is forecasted to cost the retail giant more than $148 million. But the costs associated with the historic breach are about to increase if a ruling by Judge Paul A. Magnuson of the Minnesota District Court survives appeal.  The judge ruled that Target was negligent in the massive 2013 holiday shopping season data breach and clears the way for banks and other financial institutions to pursue compensation via class-action lawsuits. The Minnesota court decision clears the legal pathway for pending lawsuits by banks and credit unions looking to recover billions of dollars it incurred for replacing customer credit cards.

The decision is a breakthrough for credit and debit card issuers, which traditionally bear the brunt of costs arising from hacker attacks on retailers, because issuers have to replace cards and respond to customers’ concerns. Industry analyst have previously predicted that Target and other retailers will eventually find themselves liable for stolen identities and bank fraud stemming from the high-profile point-of-sale (POS) breaches.

Credit Union National Association president and CEO Jim Nussle says, “As we have documented in two surveys this year, data breaches at retailers have cost credit unions and their members a minimum of $90 million—and those are the costs only for breaches at Target, for $30 million, and Home Depot, at nearly $60 million.”

There has been a considerable increase of retail security breaches in 2014 and this decision opens the possibility that other retailers such as; Kmart, Dairy Queen, Home Depot and Neiman Marcus could now experience similar claims of liability. Financial damage from security breaches has increased 12 to14 percent over last year with 94 percent of companies reporting a cyber-security issue in 2014.

The attack at Target is some-what unique and was made possible by their poor network sequestration and the big-box giants failure to respond to an early-warning system that was in place to protect the system from just such an attack. “Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur,” Magnuson wrote in his ruling. “Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case.”

The implication of the ruling for both large and smaller retailers is obvious for those businesses that fail to take the collection of sensitive information, such as credit cards or social security numbers, seriously.  It is imperative that retailers implement the strictest security standards and heed warning signs of possible intrusions when they occur in order to avoid possible liability and financial devastating. The lump of coal delivered by hackers to Target last Christmas is likely to continue to burn holes in their profits for years to come.

Image courtesy of Stuart Miles at

It is Time to End the Debate and Move Forward with Solutions


One of the bright spots in an economy persistently checked by uncertainty is the prediction that technology companies are looking to hire more employees over the next year. But as with all good news about the current state of the economy, the good news is accompanied with a qualifier. While 63 percent of large technology companies intend to hire new technical professionals over the next twelve months, they worry that there will not be enough qualified candidates to fill the vacancies. The survey, conducted by the trade group Technology Councils of North America, also indicates that 70 percent of small to mid-sized tech companies are looking to expand their tech staffs as well.

A debate over the shortage being real or myth has been going on for years. While hiring organizations see an IT talent shortage, third-party recruiters say that hiring managers have to get more creative and realistic about candidate job requirements, and job seekers complain that the whole candidate evaluation process is “screwed-up”. Whether it’s a talent shortage or a messed-up hiring process the issue is causing delayed IT projects, poor quality, reduced competitiveness and productivity and missed opportunities for growth in the technology sector. The very sector economist identify as the most likely sector to put the “robust” back into describing the economy.

Discussions over solutions to the problem include employer pay, benefits, and performance expectations. Some talk of increasing efforts to further education in science, technology, engineering and math (STEM) and others even advocate reforms to the immigration system to bring in more skilled foreign workers. Listening to all sides of the debate it is clear that the solution doesn’t lie with how many IT job applicants there are in the talent pool, or about the IT hiring process, but rather with all of the above. And regardless of what it is called, the problem is real; likely to be with us for years to come; and will require both short term and long term solutions.

According to Manpower Group 2014 Talent Shortage Survey Key Findings, nearly half of IT employers have begun addressing talent shortages through increased training for existing staff and implementing non-traditional recruitment practices. One in four employers is exploring new talent sources according to the study and others are implementing alternative work models to focus on improving their talent pipeline.

But effective, long term solutions will demand all stakeholders to collectively coordinate and facilitate efforts to revamp secondary, collegiate and technical education programs that produce students who have the specialized skills that are required of a career in a dynamic and ever expanding industry. It is time to end the debate and move forward on identifying and implementing real solutions.

Image courtesy of Stuart Miles at

Compressing the Detection Process


Perhaps the most alarming subtitle to the prolific headlines touting the latest breaches of cybersecurity is the fact that the discovery of the intrusions took many months to be revealed. The latest release of Mandiant M-Trends report indicates that on average, breaches of security take 229 days to be discovered.  The recent broad attack on JPMorgan Chase, which compromised information for 76 million households and seven million small businesses, took the bank’s security team more than two months to detect before it was stopped. Imagine being the president of the bank and learning that your vault was broken into and pilfered only after a depositor presented a valuable family heirloom, just purchased at the local pawn shop, which they thought was securely locked away in the banks vault. A far-fetched scenario? Not really, especially when two thirds of all cybersecurity breaches are discovered by an outside third party.

The reality is that most organizations today are slow to detect breaches and most organizations are sadly misinformed when it comes to how long it really takes for intrusions to be discovered. The lack of awareness allows unlawful intruders the time to roam around inside an organizations system, seeking out the best information to pilfer and planting seeds of opportunity for later harvesting. Detecting a breach sooner rather later can be crucial to how much damage is inflicted upon the organizations financial health. “The longer it takes to respond, the more firmly rooted the attacker will become, and more difficult and costly it will be to find and remove all of their implants,” says James Phillippe, leader of threat and vulnerability services for the U.S. at Ernst & Young.

The issue of untimely discovery can be compounded because of the sheer number of attacks occurring every day and the increasing number of ways intruders can attempt to access a system. Implanted detection software, designed to warn security professional of an unlawful intrusion, often produces an overwhelming amount of data which needs to be evaluated and verified by security professionals. Companies looking to improve detection and response times must refocus their efforts on improving their data analytics capabilities, and provide appropriate numbers of resources necessary to respond properly to legitimate threats.

Breaches, even in organizations with an effective defensive security strategy in place, will occur. Investing as much effort on breach detection as breach prevention is essential to improving discovery. “We know that breaches are going to happen,” says Mike McCann, a consultant at Signum Security, “What can we do to mitigate response times and mitigate the impact?” Deploying predictive analytic tools will help manage the volume of data and speed-up the detection and response to a cyber-attack.

Image courtesy of Stuart Miles at