A recent court decision about the Target breach should have businesses of all sizes taking note.
A Minnesota judge found Target negligent in the breach and said it can be held responsible for financial damages. Infosecurity Magazine quoted the judge:
“Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur,” Magnuson wrote in his ruling. “Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case.”
This decision led Brian Foster, CTO of Damballa, to pose an interesting question, one that anyone who makes security-related decisions for their company should think about:
Do you immediately take devices off your network when you receive an alert from a prevention tool? Do you ever automatically block a device because of one alert?
Foster then hints of an even larger concern from an upcoming Ponemon study: Security professionals stated that they deal with approximately 17,000 security alerts per week, but only 19 percent of them are reliable. It’s already difficult enough to pinpoint a real attack. Now I anticipate the Target ruling putting companies even more on edge, knowing that after a breach, they could be under a lot more scrutiny and find themselves facing additional lawsuits.
As I was looking at the multitude of 2015 security predictions that I’ve received over the past couple of weeks, I noticed a few in which the Target breach and the court ruling may have a direct impact.
First, Chris Petersen, CTO and co-founder of LogRhythm, told me that we should expect more companies to inquire about cybersecurity insurance, and as a USA Today article echoed, cybersecurity insurance isn’t just for the “big guys.” Small and midsize businesses are just as vulnerable to an attack and need to consider protection just to keep the doors open.
Second, Steve Durbin, managing director of the Information Security Forum, says we need to pay more attention to the risks involving third parties, stating in an email comment:
Over the next year, third-party providers will continue to come under pressure from targeted attacks and are unlikely to be able to provide assurance of data confidentiality, integrity and/or availability. Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their intellectual property, customer or employee information, commercial plans or negotiations. And this thinking should not be confined to manufacturing or distribution partners. It should also embrace your professional services suppliers, your lawyers and accountants, all of whom share access oftentimes to your most valuable data assets.
Finally, Benjamin Caudill, founder and principal consultant at Rhino Security Labs, thinks that this year our lawmakers need to step up, telling me in an email:
At the moment, breach notification requirements and information security regulatory standards are patchy, antiquated, and fall short of what’s needed. Even the health care industry, which stepped ahead of the curve with HIPAA, still has a lot of room for improvement. There’s a need for laws that make sure that breached companies inform victims in a prompt and helpful manner, and an even more urgent requirement for laws which set minimum information security standards and guidelines. Expect to see information security issues come to the fore in courtrooms and senates around the world.
Target may not be the only company to be found negligent, as more and more companies find themselves the victim of a cyberattack. Is your company prepared in case it happens to you?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba