Cybersecurity in business organizations

Fundamental Challenges
With respect to cybersecurity, there are two fundamental challenges – technological and human. On the technology side, many firms underinvest in cybersecurity, for whatever reason. It can be difficult to keep up with evolving threats, such as new ransomware, and companies that lack modern cybersecurity technology are especially vulnerable. In particular, companies are often keen to adopt new technologies – today cloud computing and the use of personal mobile devices for work purposes – without adequately investing in securing those new technologies. Many companies with in-house teams are ill-equipped and many smaller companies are either unwilling or unable to invest in external security solutions (Security Magazine, 2016).
The other challenge is human in nature. Human beings are typically the weakest link in cybersecurity at the average organization. The weakness often manifests in the form of poor password hygiene (Majumdar, 2017), but it can also manifest in other ways as well. Winnefield et al (2015) point out some other human issues – failing to patch vulnerabilities in legacy systems, executives not making the right decision when hacking is detected, violations of standard procedures and misconfiguring settings are all examples of human errors that can lead to cybersecurity breaches, even when the security stack is sufficient.
Target
The case highlights several errors that Target made when handling this breach. It had set up a sophisticated security network that detected the breach almost immediately. The red flag that Target overlooked was literally a red flag – FireEye flagged the malware when it arrived in Target's system and began collecting data. That first red flag was thrown up on November 30th, and there was another red flag on December 2nd when the malware was installed a second time. The case claims that there were as many as five such red flags that were thrown up. Any one of these red flags should have triggered either an automatic or a manual response from the Target security team.
The first issue is that Target had turned off the automated system that could have deleted the malware upon detection. This was pure hubris on the part of the company's security team. The case frames it thus: "Typically, as a security team, you want to have that last decision point of 'what do I do." The problem with that approach is that it forgoes an automated option, and therefore places the onus on the security team to deal with the problem. And that's when the importance of human decision-making comes more into play.
So the second issue is that human decision-making. The exact nature of the human error is not clear from the case, but there are a couple of options. The first is that the security team simply chose to ignore the alarms. It does not appear that there is any meaningful basis for doing so, but this could have happened. The other is that the security team did not have the authority to act directly on the alarms, but rather had to escalate the alarms up the chain of command, and it is at higher levels that the inaction occurred. That seems like poor organization structure, but could have been the case. The company's CIO at the time, Beth Jacobs, resigned shortly after the incident, suggesting that this might have been the case (Biggs, 2014).
It is my sense that there were organizational structure issues that contributed to the non-reaction to the breach. It is assumed that there was a communication trail proving that people on the security team escalated the issue. It probably escalated to the executive level. At that level, someone either did not understand the threat, or failed to take it seriously. Or possible was concerned with the company's reputation if news of the threat got out, and hoped that it would go away. Whatever the reason, the inaction was inexcusable, and most of the damage could have been prevented.
Reaction
But this also calls into question the security team itself. If the security team in Minneapolis was aware of the hack, and their only response was to escalate, how could that be? Is this is situation where the organizational culture is so conservative that the company could only escalate to a higher level, and when the higher level did nothing that the security team would accept that response. The security team should have been empowered to address the hack themselves – especially if they were going to turn off the FireEye feature that allowed them to delete the malware immediately. Even if they did not have formal authority, they had to know that the right thing to do would be to delete the files manually – the risk of punishment by their superiors would be a price to pay, but their work would save the company millions, if not billions.
Target still waited three days after the Feds informed them of the breach, to react. This is also inexcusable. At that point, the CEO would have known about the breach. The slow reaction speaks to a company that, at the higher levels of authority, did not understand the risks, was protective of its reputation, or otherwise had some reason why it thought that doing nothing was the best response. Certainly, nobody at the executive level understood the time-sensitive nature of the issue, and perhaps thought that they could take time to deliberate on a response rather than to take immediate action.
There is really nothing positive one can say about Target's reaction. The response to too little, too late. They were able to shut down the malware, but this was malware that could have been shut down before any data was communicated to the hackers. By any measure, the company's performance was poor. Too slow, too stupid, and ultimately just an abrogation of the company's fiduciary duty to its clients.

Why the Attack Occurred
The attack occurred because Target is a large retailer. Retailers are particularly vulnerable to such hacks because they hold credit card data for millions. The case elaborates on the sophisticated market for credit card data in Russia (and Odessa, which is part of Ukraine). The biggest targets are also the most lucrative, which is why the Minneapolis-based company had a bullseye on its back.
The issue was not the infrastructure, which by all accounts was accurate. There are records that the company's security infrastructure flagged the attack in a timely manner, and should have had the capacity to delete the malware immediately. These hackers might have been able to identify a weakness that allowed them to get into Target, but they did not bring malware sophisticated enough to actually do anything without the help of human error. The same can be said for most hack attacks, though – reliance on human error is quite common. So why Target?
Chances are pretty good that the hackers were simply aiming at whales. They might have tried other large retailers before and failed. It is doubtful that they had any specialized knowledge of Target's organizational culture that would have led them to target the company. They were probably just fishing for a victim, and found one. This would probably explain why they didn't move data out for a few days – they were just trying some stuff to see what worked, and it so happens that Target's poor response meant that it was the victim instead of some other company.
Thus, the attack was largely the result of management. Of course, there are both human and technological pathways to vulnerabilities but in this case (Kraemer, Carayon & Clem, 2009), it was the human factors. The details are not known, but the fact that the technology was clearly capable of detecting and destroying the malware manually leads to the conclusion that it was human factors.
Target's executives were right to make the investment that they did in FireEye, but they did not check all of the vulnerability pathways, in particular the human ones. They counted on the people in charge of making the decision to make the right one, and in this case they did not. There might have been ignorance on the part of the executive team about these risks. As a result, they were ill-equipped to make the right decisions, but for whatever reason did not empower the security team to make the right decisions either. And if the security team was empowered but failed to act, then the wrong people were in charge of the security team. Basically, the entire chain of human decision-making and communication was ineffective at the company, right up to the CEO level, because the CEO should have made it clear that he needed to know at very early stage if any data was lost due to malware or other hacking.
The Target case highlights the role that the human factor plays in hacking, and how hackers can basically exploit any company that has poor human factors. The hackers probably did not have specific knowledge of such weaknesses at Target, but rather were hunting for large enterprises, as these are the most lucrative for stolen credit cards. Today, many smaller businesses are the targets because they lack both the technological security of enterprise, but also the human factors. Enterprises have learned from the Target experience, but even they may still have vulnerabilities. Still, it is clear in this situation that human error formed a large part of the problem for Target.

References

Biggs, J. (2014) Target knew about credit card hack for 12 days before reacting. TechCrunch. Retrieved November 19, 2017 from https://techcrunch.com/2014/03/13/target-knew-about-credit-card-hack-for-12-days-before-reacting/

Kraemer, S., Carayon, P. & Clem, J. (2009). Human and organizational factors in computer and information security: Pathways to vulnerabilities. Computers & Security. Vol. 2009, 1-9.

Majumdar, R. (2017) Poor password hygiene makes you a soft target for hackers. Smart Investor. Retrieved November 19, 2017 from http://smartinvestor.business-standard.com/pf/Pfnews-479754-Pfnewsdet-Poor_password_hygiene_makes_you_a_soft_target_for_hackers.htm#.WhI4AXlrzIU

Security Magazine (2016) Companies still lag in cybersecurity readiness. Security Magazine. Retrieved November 19, 2017 from https://www.securitymagazine.com/articles/87146-companies-still-lag-in-cybersecurity-readiness

Winnefield, J., Kirchhoff, C. & Upton, D. (2015) Cybersecurity's human factor: Lessons from the Pentagon. Harvard Business Review. Retrieved November 19, 2017 from https://hbr.org/2015/09/cybersecuritys-human-factor-lessons-from-the-pentagon