The Target Corporation, a global retailer, was one the victims of a security breach last year. The personal information of several million customers, and even their credit and debit card accounts, were compromised over a period of three weeks. The information stolen included customer names, credit or debit card number, the card’s expiration date and [...]

The Sundaytimes Sri Lanka

Is protection from hackers and security breaches possible?

Focus On Security
View(s):

The Target Corporation, a global retailer, was one the victims of a security breach last year. The personal information of several million customers, and even their credit and debit card accounts, were compromised over a period of three weeks. The information stolen included customer names, credit or debit card number, the card’s expiration date and CVV (card verification value).

The cost of this breach included liabilities to payment card networks for reimbursements of credit card fraud and card re-issuance costs, liabilities related to its store credit card, i.e. REDcard fraud and card re-issuance, liabilities from civil litigation, governmental investigations and enforcement proceedings, expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities.

Sujit Cristy

All of these costs affected Target’s financial results. Further, the CEO was also forced to step down and the company had to search for a chief information security officer and a chief compliance officer. It appears Target was finally getting serious about security.Unfortunately, it was too late. Target’s reactive rather than proactive approach to security cost millions of dollars, but perhaps even more importantly, negatively impacted its customers’ trust and peace of mind to a greater degree.

Time to change

It’s time we changed the way we think of security and approach it by design. A comprehensive approach by design to information security requires a good framework. There are many international standards for information security management such as COBIT, NIST SP-800 series and PCI DSS, but the recently introduced ISO 27001: 2013 standard is the mostly widely used to design a security and governance framework.

This new standard has a catalogue of 114 security controls, and offers the flexibility to apply only those controls that are needed in relation to risks. But its’ best feature is that it defines a management framework for controlling and directing the security issues, therefore ensuring that security management becomes a part of the overall management in an organisation. This standard enables an organisation to take into account all the processes, information in various forms, all the risks, and provides a path to carefully resolve each risk and keep the information safe. This is not a one-time effort, but a continuous operation. Further, it is not something IT people alone should be responsible for – it is something the whole organisation has to participate in, starting from the executive board.

Convincing management to fund the implementation of information security is not easy. The managements are usually cost conscious and, if it sounds too expensive, the answer will usually be “No”. The management cannot be blamed for this as their ultimate responsibility is profitability of the organisation. Every decision of the management is based on the balance between investment and benefit, i.e. ROI (return on investment).

Organisational strategy cannot be limited to ROI, market share, core competencies and long-term vision any more. This strategy must also take into account the security issues to protect business. A non-secure information system can cost them much more as in the case of Target Corporation. Hence, a security framework designed using ISO 27001: 2013 will help present the benefits to the management, using the language the management will understand and obtain an endorsement.

Benefits

The benefits of information security, especially the implementation of ISO 27001: 2013, are numerous. The Legal and Regulatory Compliance for example is a must for all organisations in the markets they operate. It might seem odd to list this as the first benefit, but it often shows the quickest ‘return on investment’. If an organisation must comply with various regulations regarding data protection, privacy and IT governance, particularly if it is a financial, insurance, health, IT/ITeS and government organisation, then ISO 27001: 2013 can design a methodology which enables it to do in the most efficient way.

Additionally, an organisation that has been growing significantly over the last few years, organically and inorganically, might experience problems like; who has to decide what, who is responsible for certain information assets, who has to authorise access to information systems, who is the risk owner, etc. The ISO 27001: 2013 will force organisations to define very precisely the responsibilities, accountabilities and duties, and will therefore strengthen the internal organisation and help put business in order.
Furthermore markets have become more competitive and it is difficult to differentiate to the customers and have an edge. ISO 27001: 2013 could be a unique selling point, especially for organisations which store and process sensitive information and gain a marketing edge. At the same time, information security is considered a ‘cost’ with no obvious ‘financial gain’. However, there will be a significant financial gain if the expenses caused by incidents are lowered.

(The writer is a Governance, Risk and Compliance professional and Director at Layers-7 Seguro Consultoria (Pvt) Ltd. He can be emailed at sujit@layers-7.com).

Share This Post

DeliciousDiggGoogleStumbleuponRedditTechnoratiYahooBloggerMyspace

Advertising Rates

Please contact the advertising office on 011 - 2479521 for the advertising rates.