Although the highly publicized breach of retail giant Target's customer data may have been largely due to a mistake by the company's HVAC vendor, Target's CIO has resigned -- probably after being pressured to do so by upper management.
What does this mean for CIOs elsewhere? No. 1, there's a great job opening you might want to apply for. No. 2, as we've said on E2 before, you cannot limit your information security efforts to your own infrastructure alone, because your closest partners may be your biggest threats. Overlooking that fact may not only result in a breach, it may result in you losing your job.
At first blush, that might not sound fair. The HVAC vendor, Fazio Mechanical Services, is the one that succumbed to a phishing attack, not Target.
However, Target itself has a responsibility for protecting its infrastructure against attacks -- they owe it to their customers and they assume liability for third-party service providers' security failures as part of the Payment Card Industry's regulations.
Mathew Schwartz at Information Week explained:
Why might Fazio Mechanical Services have had access to Target's network? The answer is because Target -- like any other organization that manages a relatively modern store, factory, or office building -- likely relies on refrigeration and HVAC systems that can be remotely managed by a third party.
So, simply denying access to Fazio and other third-party partners was probably never a great option. However, Target and all other companies can protect themselves against unauthorized access in several ways. They can protect identity and access credentials, monitor how those credentials are being used (to ensure that the accounts are not exercising privileges they're not authorized to have), isolate the part of the network infrastructure accessible to third parties from the rest of the network, and monitor the data leaving the network as opposed to just monitoring what's coming into the network. The investigation into the breach is ongoing so it's not entirely clear whether or not Target followed all these practices.
But you'd better follow them. The scale of the breach, the 40% loss of revenue, and the departure of the CIO should provide adequate incentive.
The good news is that, in addition to hiring a new CIO, Target has stated that they are bringing on a chief compliance officer, and -- even better, in my opinion -- "elevating the role of the chief information security officer."
What do you think? Is it fair for Target to replace their CIO? What sort of person do they need to hire? What are you doing to protect your organization from the security errors of a third-party service provider? Do you think you need to extend your security awareness program and compliance efforts to include these third parties? Let us know in the comments below.