Friday, March 28

One more thing for CEOs to fear

I previously mentioned the Hannaford breach and that it's the CEOs that take the fall, but now I have to add one more thing for CEOs to fear. First, it was potential impact to the bottom line or damage to the company's reputation. Then it was fines by regulators and maybe even jail time. Now, add to the list of potential repercussions of a security breach being called out in Mark MacAuley's blog. And Mark names names. He tried to convince Hannaford to put measures in place to prevent this type of attack . Now, Mark is guessing it was an inside job. The attacker installed software on every server in 300 stores. He's probably right. It's hard enough for system administrators to roll out software on that scale and effectively hit every server (even with a team of consultants). It seems unlikely for someone with no knowledge of the environment to come along and accomplish that goal -- not impossible, but unlikely given that these attacks are most likely targeted at low hanging fruit where the 80/20 rule would apply.

I hope Mark doesn't mind that I'm picking on him. There is an element of seriousness to my comment about the new item on the list of repercussions. There are a variety of convenient ways to publicly call out a CEO or other business leader for lack of movement or poor decisions. You can't hide and wait for something like this to blow over. Not any more. It's time to accept risk management as a top priority – as important as discovering new ways to expand the business. And yes, leakage of customer data should probably be high on the list of risks. No more excuses. No more walls. Lots of transparency. Viva la Clue Train!

Ira Winkler disagrees that it was likely an inside job. I'm sure he's forgotten more about hacking than I ever knew. So, he may be right. I don't doubt that someone could hit 100% of servers, but I guess I didn't see that as the goal. Maybe I'm not in tune with the motivations of hackers.

...this may be the article that Ira refers to.

1 comment:

Mark Mac Auley said...

Matt, I love that you're picking on me because it is raising the bar in terms of accountability for organizations and their leadership.

I do hold retailers accounatble for protecting my information, especially when they have people with titles like Chief Security Officer responsible for protecting data. Especially when the best practices that are exploited in a breach come to light, including common sense.

It astounds me that a company cannot or will not find money to fund projects to protect the trust of their Brand and company proactively, but will spend gobs of money after the fact. How is that good for their customers or their shareholders?

My solution - pay attention to what's going on out there, take phone calls from vendors and consultants, and please please please be proactive in mitigating risk, not reactive. It's cheaper and builds trust must faster.

I would also hope that Hannaford communicates what happened to Infragard, the ISSA or some other group who watches these events closely to learn what NOT to do. The bad guys are still FAR better at sharing information than those of us who make our living protecting our customer's customers...