Target’s Massive Data Breach: Five Lessons for CPAs

Published Date:
Aug 25, 2014

It wouldn’t surprise me if some readers have grown tired of articles on cybersecurity breaches. Though there have been serious attacks in recent months—especially the data breach at Target, in which as many as 110 million customers had their credit and debit card information stolen by hackers—the wall-to-wall news coverage can make it easy to feel desensitized, rather than incentivized to improve systems and learn about protections. What’s more, sometimes when readers do want to learn more, they encounter media stories and white papers that only seize upon fears and uncertainties.

Still, it’s important to wade past all this; Target and other examples in the news are useful opportunities to examine and change behavior that may be putting you at risk.

For those who want “just the facts” about cybersecurity threats, supplemented with a reliable perspective and, yes, written in a language that most business people and their CPAs can understand, I recommend “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach." This report, which was prepared for the Senate’s Committee on Commerce, Science, and Transportation and released this spring, provides an unbiased look at how the Target breach occurred, as well as key concepts that can be used to minimize the potential impact of attacks. Given the publicity surrounding the Target incident, CPAs can leverage this analysis to initiate conversations with their clients about relevant protection strategies. (Best yet, many of the risk mitigation strategies can be rationalized from a business perspective.) Below are just a few lessons gleaned from the report.

1. Eliminate the low-hanging fruit.
According to the Senate analysis, Target failed to thwart attackers at even basic levels. For example, the report said the retailer “missed warnings from its anti-intrusion software that attackers were installing malware on its network.” In fact, Target had multiple opportunities to identify the attack at different stages, but was unable to do so.

Ideally, you should be making it difficult for someone to successfully penetrate your systems or your client’s systems. In previous columns, I’ve discussed the importance of patch management—applying software fixes provided by the software developer to resolve operating issues—and security hardening guidelines. The Senate report also points to the need to implement a multilayered approach to information security. Such a strategy recognizes that attackers may focus their efforts on different areas of a company’s technology environment, and, as a result, companies should plan their defenses accordingly.

2. Trust—but verify—third-party compliance.
Hackers gained information about and entry into the Target network through a vendor, “a small Pennsylvania HVAC [heating, ventilation and air-conditioning] company, which did not appear to follow broadly accepted information security practices,” according to the Senate report. The vendor had remote access to Target’s network for electronic billing, contract submission and project management purposes.

It’s not enough to know who your vendors are and how they intend to protect your information—you must also know where your data are outside your organization (e.g., your vendors’ vendors) and get appropriate representations that protection mechanisms are actually working. The same philosophy should be applied to managing the access privileges for resources on your network given to trusted partners. In some situations, you might wish to conduct your own audit to confirm that the data are protected. You also need to communicate with your partners about your expectations regarding data protection and, to the extent necessary, share defensive strategies as needed. If they are unwilling to cooperate with these efforts, consider taking your business elsewhere.

3. Limit the amount of publicly available information.
Be careful with what you share, both within and outside the company. Target hackers appear to have engaged in reconnaissance, finding information about the Pennsylvania vendor through simple Internet searches and sending “malware-laden emails” to it “two months before the Target data breach began.”

Although most businesses would not intentionally disclose information that could be used by an attacker, they may not be aware of the data leakage resulting from easy access to information stored on the Internet. This can include information about the company’s culture disclosed by employees through social media and information about the technical environment provided in company job listings.

4. Implement a logging and monitoring strategy.
CPAs are well aware of the importance of maintaining and reviewing audit trails. In the systems world, logs are used in the same manner. According to the Senate report, although Target’s logging systems identified warnings about the attacks, there did not appear to be sufficient follow up. But if logs are important, so is the need to monitor them periodically and take follow-up action. There is a challenge in that sometimes the person monitoring the log can feel like he or she is looking for a needle in a haystack. Instead, consider leveraging analytical techniques such as trend analysis to identify items requiring further investigation. 

5. Remember, people are often the weakest link.
In the end, data security still boils down to people and their behavior. No amount or level of technology can compensate for incompetence or a callous attitude toward security—whether it’s using poor passwords, making short-sighted business decisions or not having the courage to raise identified issues. The tone at the top is also important—management has to walk the talk of protecting sensitive information and invest in appropriately training employees. You’ll notice that at Target, both the CEO and CIO are no longer with the company.

While I was an audit manager at a major financial services company, we used to have SWAT teams that would analyze public reports of “misfortune” occurring within the industry and quickly determine if we had similar exposure. These rapid due diligence assignments were frequently performed in less than 25 hours and brought tremendous value to the business (and is a practice I still employ today with many of my clients). Many companies are now using the Target experience to avoid similar misfortune.

Joel Lanz, CPA/CITP, CFF, CISA, CISM, CISSP, CFE, is the sole proprietor of Joel Lanz, CPA P.C., and an adjunct professor at SUNY–College at Old Westbury. He is a member of the NYSSCPA’s Technology Assurance Committee and  The CPA Journal Editorial Board. 

Learn more about how to protect against cyber crimes at the FAE's Technology Assurance Conference on Sept. 18 in New York City, which will feature some of the country's top cybersecurity experts, offers best practices, and in one special session, find out what New York State is doing to keep cyber criminals from access your clients' data. For more information, visit the NYSSCPA's website.

Click here to see more of the latest news from the NYSSCPA.