If my wife and I want to go out to dinner and the restaurant is closed due to the weather or the employees calling in sick, they lost our business. They can’t get those dollars back from me another day.
If my son has strep throat and needs to get a prescription and the pharmacy computers are down, they lost our business. I will just go to the next pharmacy across the street. After all there is no difference in the medicine I get from CVS or Walgreens. Antibiotics are the same at any pharmacy. They can’t get those dollars back another day.
When the grocery store fails to order enough milk when there is a snow storm approaching, they lost that business forever. I won’t have the same need for a gallon of milk tomorrow. I would of bought it from someone else by then.
Businesses have several challenges they have to overcome to remain competitive. The one that gets overlooked often is preparing for a disaster. Some disasters are small and some large. If you run a business that deals in commodities your challenge is increased.
If you were the CEO of Carnegie Steel in the late 1800′s you could afford delays in delivering your products. An outage was not as drastic because your product was in demand and only able to come from your company. You had a monopoly. Our relationship was also symbiotic, we both needed each other. You needed me to buy and I needed your product to sell my products.
Carnegie Steel didn’t have to deal with IT security issues or a DDoS attack from Rockefeller Oil. They didn’t need to plan for a fiber line getting cut. Hard drive crashes were not a concern.
Commodity businesses do have to worry about these. They must take the necessary steps to build in redundancy into all aspects of their business. If your customers dollar won’t be there tomorrow then take the steps to ensure you deliver your products today.
Consumers don’t care. That was the message received from the Target financial data after the breach.
While reviewing the financial reporting from Target last week (the first report since the breach was reported) it was obvious to me that consumers don’t care. It appears they also don’t even associate Target with being at fault or putting them at risk. This is similar to a political poll in this country where it turns out Americans hate Obamacare but don’t blame Obama for his signature legislation, they blame the government even though he runs the government.
The data proves a theory I have had for some time. Consumers still flocked to Target on pace and on track with previous sales if you look at the same store sales and growth numbers. The breach appears to of not hurt their reputation at all. I think most people if asked would say they were concerned about it. But when it came time to get more laundry detergent, they went to the same store as always.
Although sales were not hurt, the breach did cost $61 million in fees. A sum most companies could not afford. Target has enough cash on hand to handle this. I am sure they will take the necessary steps to make it the most secure business on the streets, to avoid the fees again.
This leads me to my final thoughts. If I go to a restaurant and get food poisoning I don’t go back. If the car wash scratches my bumper I stay away. And if Target losing all of those credit card numbers doesn’t effect me, I continue to go back. It didn’t effect me.
I am teaching a class this week on security. As I go through the material I am constantly reminded that the key to security is layers. Several products and processes make you secure. No single product can do the trick. If a manufacturer or vendor says there product does it all, they are wrong.
It came out last week that a third party vendor was the launching pad for the Target attack. Then it comes out that this vendor was a heating and air company! Talk about an industry that could care less about network security let alone PCI and credit cards. After hearing this news I grabbed my go to guy James Hull (http://www.linkedin.com/in/jhullwcsp) who deals with more firewalls in a week than most IT admins deal with in three lifetimes. When I told him his eyes lit up in amazement. He said that one of the most common requests he gets is to open holes for HVAC companies to get in to control systems remotely.
This highlights what anyone who works in this business knows, not one business is safe from security risks. The WSJ reported last year that every business has been hacked. Yet I can promise you many heating and air companies, as well as other construction and maintenance type companies, spend little if anything on security.
Every business, government organization, not for profit, and school needs to have their security assessed. This is so important. Don’t you think the third party that had access to Target is now partially liable? You bet they are. They did not intentionally do anything, but they created an environment that enabled the bad guys.
This doesn’t let Target off the hook. They should have known better than to let a third party vendor into their network uncontrolled. This was careless and lazy. It takes seconds to restrict a VPN connection. Not taking simple steps to secure their data, and the publics information, is stupid. I hope heads are rolling at Target and they are looking for a whole new team. They need to start with the CIO for such careless business practices.
It was disclosed this week that Target was breached through a vendor that had access, it was not an internal employee or other hole in the systems. I think this is an often overlooked security measure. Some companies take steps to secure their systems; however 3rd party companies do not take equal measures and end up putting the business at risk just the same.
So who has access to your systems? What measures of security do you require of them?
We received an inquiry a few months back from someone wanting a security assessment. They dealt with the banking industry. They were curious of the costs and what all it would entail. After a fe initial conversations they told us they needed it because a few of their clients were requiring it. After reviewing the costs and the potential downside to not doing it, they decided to hold off until “something happened”. My only guess is they still work with those banks. This scenario is far to common.
If we want to be secure as a company we need to set standards, enforce the standards, or just say no to working with them. No one company is “worth the stretch” of basic security standards.
I was at a doctors appointment this week with someone. While waiting in the room, for an incredibly long time, I noticed that the nurse left the computer logged in. Actually, not just logged in but with the EMR system open. We could look through the medical record on the screen or pull up any one else’s name we wanted. Free reign! No Restrictions! Even worse, we were in there for an hour and no lock screen ever appeared. I couldn’t believe this. This was at an office of the largest healthcare group in Charlotte, NC.
I am curious what the plan for companies is for mitigating risks. With all of the attacks we hear about nothing ever changes. There also does not appear to be any increase in the training of the employees or contractors. To add to it, I heard recently that the priority for security in corporations has dropped. They are throwing in the towel.
This healthcare company obviously has no fear. They are the biggest and no one will punish them, but a small doctors office…smack them with a fine. There is a bad trend setting in for companies. They are starting to not focus on the basic security of their networks let alone the prevention of attacks. The majority are concerned with three things. Does it work? Will it work a little longer? What can we do to reduce costs? Then if something does happen they will deal with it, after all won’t the banks pay and if not that’s why they have insurance. Meanwhile individuals are put through hell trying to clean up the ID theft.
This is much like it is with celebrities and regular people. We punish the average guy who breaks the law, but a celebrity gets probation. Small and medium sized companies will go under from an attack. But JP Morgan is “Too Big to Fail” so they get propped up and smacked on the wrist.
I think it is time to level the playing field and apply fines and punishments equally. Maybe them we can finally get someone’s attention. It is okay to let a few of the big guys go through the hell small businesses do when an attack happens.
Should a business work to keep existing clients, win new clients, or both?
The contract on my home satellite is up for renewal. I called Dish network today to see what upgrades were available if I renewed with them; their response was not welcoming. They explained if I wanted to upgrade my hardware and service it was going to cost me a lot in fees. Then I would need to purchase a protection plan in order to get the install for free! In short, my service costs were going to double simply to stay with them. The specials I saw advertised on TV were for new clients only. The message I heard was, call a competitor to get a deal.
This is common in a lot of businesses. They work hard to win new business then never work to maintain existing clients. Pricing stays the same even though almost all costs drop over time. These savings are not passed down to existing clients. Why is this so common?
We have never been late with Dish on a payment. We order Pay Per View movies from time to time. We are a known quantity with them; yet we were given the cold shoulder.
In another story this week, I called a local roofing company to quote a new roof, GHC Roofing. He not only came right out to quote it, he said I didn’t need one. Just a few repairs were needed for minimal cost. He could have easily quoted me a new roof but didn’t. I am not an existing client of his. This type of integrity is rare. Not only did I trust him, I will tell anyone I meet. This smaller company understands the value of a client.
Good luck to you Dish. We made our decision. Netflix and Amazon Prime are a lot cheaper than you.