Starbucks is my goto place for coffee in this area. I spend a lot of time there for meetings, talking, hanging with my kids, whatever. Recently Starbucks changed their lids to a clearly inferior one. The lid is flimsy and won’t pull off the cup easily without almost ripping off or it practically spilling. I am guessing this was a cost savings measure because the last lid was just fine. Seems like a small change, but it is very noticeable. I have heard it discussed by more than one person at the stores.
We went to lunch for our weekly staff meeting at Buffalo Wild Wings this week, a national restaurant chain. Not a healthy place but several people in our office like it. While there my marketing guru and I started talking about the ketchup. I noticed that the ketchup was generic and not the goto brand most people prefer. They also announced they changed the drinks from one brand to another. Small changes, but also very noticeable.
What often appears as a small change or insignificant can have a huge impact. We had a client this week fail to renew some security services. Well on the day the license ran out they called as internet wasn’t working. So we made temporary changes to get the access working while they renewed their software. Well once this change kicked in they no longer wanted to renew. Their concern was with working, not security. So right now they effects may not be felt, they will in the long run.
The small things can have a huge impact weather we are talking customer satisfaction or the stability of a businesses systems.
Dr. Stephen R. Covey wrote in his famous book the 7 Habits of Highly Effective People that fast is slow and slow is fast. What he meant was that you can’t rush things you want to actually work. You have to take your time, go slow, and do it right.
This is the very spirit of an Advanced Persistent Threat attack, or APT for short. Unlike malware which targets a vast group of people in the hopes of getting any information possible, an APT attack targets very specific organizations and even very specific individuals inside that organization. For example why target an entire company when you could target just the accounting department and taylor your attack to get to the exact right people. Using tools like Linked In would give them the perfect starting list of targets.
Or maybe they send you a file that appears to be from your spouse over email. They learn this information by searching online information like real estate records, friending you on Facebook, or masking what phone number they are coming from. Any number of ways are possible to get into the network.
These types of attacks are so direct the only way to actually protect your company is to install detection systems on the network. I have the honor this week to participate in a webinar session with WatchGuard as other industry experts on this very topic and what companies can do to protect themselves.
Every organization is at risk of these attacks. Governments, accounting offices, law firms, manufacturing, real estate…the list goes on.
One of my favorite security stories last week was that a 5 year old was able to get past his father’s Xbox login. All he did was hit a bunch of spaces and was able to get past the login and into his dad’s account. Microsoft has credited him with finding this vulnerability, although it was no form of hacking wizardry.
I have kids myself and their simple solutions and basic questions can break a problem down into the simplest form. Kids are perfect for this. Their minds work in a way we as adults often don’t understand.
This leads to wonder, are businesses over complicating their security? Are they putting off new security initiatives because of a fear of change or disrupting business? Sometimes inaction is the most powerful action, because it leads to more problems.
Step back, look at your security initiatives from a new perspective. What are you doing and where. Where are the holes. Where are you weakest. Then build a plan to correct. And start making your business more secure.
If my wife and I want to go out to dinner and the restaurant is closed due to the weather or the employees calling in sick, they lost our business. They can’t get those dollars back from me another day.
If my son has strep throat and needs to get a prescription and the pharmacy computers are down, they lost our business. I will just go to the next pharmacy across the street. After all there is no difference in the medicine I get from CVS or Walgreens. Antibiotics are the same at any pharmacy. They can’t get those dollars back another day.
When the grocery store fails to order enough milk when there is a snow storm approaching, they lost that business forever. I won’t have the same need for a gallon of milk tomorrow. I would of bought it from someone else by then.
Businesses have several challenges they have to overcome to remain competitive. The one that gets overlooked often is preparing for a disaster. Some disasters are small and some large. If you run a business that deals in commodities your challenge is increased.
If you were the CEO of Carnegie Steel in the late 1800′s you could afford delays in delivering your products. An outage was not as drastic because your product was in demand and only able to come from your company. You had a monopoly. Our relationship was also symbiotic, we both needed each other. You needed me to buy and I needed your product to sell my products.
Carnegie Steel didn’t have to deal with IT security issues or a DDoS attack from Rockefeller Oil. They didn’t need to plan for a fiber line getting cut. Hard drive crashes were not a concern.
Commodity businesses do have to worry about these. They must take the necessary steps to build in redundancy into all aspects of their business. If your customers dollar won’t be there tomorrow then take the steps to ensure you deliver your products today.
Consumers don’t care. That was the message received from the Target financial data after the breach.
While reviewing the financial reporting from Target last week (the first report since the breach was reported) it was obvious to me that consumers don’t care. It appears they also don’t even associate Target with being at fault or putting them at risk. This is similar to a political poll in this country where it turns out Americans hate Obamacare but don’t blame Obama for his signature legislation, they blame the government even though he runs the government.
The data proves a theory I have had for some time. Consumers still flocked to Target on pace and on track with previous sales if you look at the same store sales and growth numbers. The breach appears to of not hurt their reputation at all. I think most people if asked would say they were concerned about it. But when it came time to get more laundry detergent, they went to the same store as always.
Although sales were not hurt, the breach did cost $61 million in fees. A sum most companies could not afford. Target has enough cash on hand to handle this. I am sure they will take the necessary steps to make it the most secure business on the streets, to avoid the fees again.
This leads me to my final thoughts. If I go to a restaurant and get food poisoning I don’t go back. If the car wash scratches my bumper I stay away. And if Target losing all of those credit card numbers doesn’t effect me, I continue to go back. It didn’t effect me.
I am teaching a class this week on security. As I go through the material I am constantly reminded that the key to security is layers. Several products and processes make you secure. No single product can do the trick. If a manufacturer or vendor says there product does it all, they are wrong.
It came out last week that a third party vendor was the launching pad for the Target attack. Then it comes out that this vendor was a heating and air company! Talk about an industry that could care less about network security let alone PCI and credit cards. After hearing this news I grabbed my go to guy James Hull (http://www.linkedin.com/in/jhullwcsp) who deals with more firewalls in a week than most IT admins deal with in three lifetimes. When I told him his eyes lit up in amazement. He said that one of the most common requests he gets is to open holes for HVAC companies to get in to control systems remotely.
This highlights what anyone who works in this business knows, not one business is safe from security risks. The WSJ reported last year that every business has been hacked. Yet I can promise you many heating and air companies, as well as other construction and maintenance type companies, spend little if anything on security.
Every business, government organization, not for profit, and school needs to have their security assessed. This is so important. Don’t you think the third party that had access to Target is now partially liable? You bet they are. They did not intentionally do anything, but they created an environment that enabled the bad guys.
This doesn’t let Target off the hook. They should have known better than to let a third party vendor into their network uncontrolled. This was careless and lazy. It takes seconds to restrict a VPN connection. Not taking simple steps to secure their data, and the publics information, is stupid. I hope heads are rolling at Target and they are looking for a whole new team. They need to start with the CIO for such careless business practices.