No Big Surprise: Security Lessons Fail to Hit Home

Despite years of data security failures, enterprises fail to heed the many lessons learned.

I wasn’t surprised when the Home Depot breach notification hit my inbox this past weekend. But I knew that rarely only one shoe drops following a breach disclosure of the 56-million-user magnitude Home Depot disclosed earlier.

Here is the second shoe:

“Today, we are providing an update on the investigation into the breach of our payment data systems. Our investigation to date has determined the hackers stole separate files containing email addresses, in addition to the payment card data we announced in September that may have been compromised.”

It turns out that the attackers had not only stolen 56 million credit card accounts but also managed to make off with 53 million customer email addresses. This attack, at least in its initial phases, was made possible when the criminals got ahold of the password from a vendor. No surprise there, either. Most attacks, even if they’re only the notification that a company has been breached, involve third parties in some way.

Home_Depot_email

And what was reported in Shelly Banjo’s WSJ article late last week, Home Depot Hackers Exposed 53 Million Email Addresses, wouldn’t be a surprise to anyone who has been closely watching how organizations approach information security:

The bigger problem, the company’s executives have said, is that Home Depot moved too slowly to bolster its security defenses and too often focused on meeting standards designed to detect known threats rather than anticipating the fluid, fast-moving tactics of hackers who are increasingly going after retailers.

No Big Surprise: Security Lessons Fail to Hit Home

Frank Blake, who retired as Home Depot’s chief executive last month as scheduled, has conceded the company needs to place greater emphasis on data security. “If we rewind the tape, our security systems could have been better,” Blake said in an interview last month. “Data security just wasn’t high enough in our mission statement.”

Too often, enterprise security teams end up running regulatory compliance programs rather than information security programs. This happens for many reasons, but is harmful to real risk-reduction over the long term. One reason is that regulatory compliance is an easier sell than security. There’s a regulatory mandate that the IT team needs to meet, so the business provides the funds. Executives also understand the risks associated with government and industry mandates, because they likely have to deal with them in many aspects of their business. They know the consequences when they don’t comply, and they are willing to extend the budget to do so.

Another reason is that IT teams, and security in particular, tend not to be very effective at translating technical risks into the types of business risks that executives understand on a visceral level. They’ll talk about the best tool for the job, and they’ll dive into deep technicalities of the enterprise architecture. It’s what they know, and what they feel comfortable talking about. But when it lands on the ears of executives, they’re not necessarily going to be able to translate that talk into what it means for the types of business risks that are important to them.

I’ll bet the Boards at Home Depot and all of the other retailers that were breached this year get it now. But for every one of them, there are 20 companies that don’t think they will suffer the same fate.

That brings up another lesson that seems to go unheeded: that companies believe they won’t be breached because can successfully defend themselves all of the time. Yet, all of the big enterprise breach announcements that I’m familiar with this year entail breaches that lasted weeks and months. That’s just too long. Companies are too busy playing defense and not busy enough looking for the times when those defenses are sidestepped.

It’s time more enterprises learn the hard lessons provided by the experience of others: that compliance isn’t security, as fellow Business Insights blogger Shaun Donaldson wrote in Home Depot, Target, and the business of being owned; and that any firm, at any time, can suffer a serious intrusion into its business-technology systems. They not only have to plan on how to stop successful attacks from happening, but also plan ways to respond to those breaches when attackers are successful. The reality is that it is just a matter of time before they are. That may be the most important lesson of all here.