After studying this section you should be able to do the following:
- Recognize that information security breaches are on the rise.
- Understand the potentially damaging impact of security breaches.
- Recognize that information security must be made a top organizational priority.
Sitting in the parking lot of a Minneapolis Marshalls, a hacker armed with a laptop and a telescope-shaped antenna infiltrated the store’s network via an insecure Wi-Fi base station1. The attack launched what would become a billion-dollar-plus nightmare scenario for TJX, the parent of retail chains that include Marshalls, Home Goods, and T. J. Maxx. Over a period of several months, the hacker and his gang stole at least 45.7 million credit and debit card numbers and pilfered driver’s licenses and other private information from an additional 450,000 customers (King, 2009).
TJX, at the time a $17.5 billion Fortune 500 firm, was left reeling from the incident. The attack deeply damaged the firm’s reputation. It burdened customers and banking partners with the time and cost of reissuing credit cards. And TJX suffered under settlement costs, payouts from court-imposed restitution, legal fees, and more. The firm estimated that it spent more than $150 million to correct security problems and settle with consumers affected by the breach, and that was just the tip of the iceberg. Estimates peg TJX’s overall losses from this incident at between $1.35 billion and $4.5 billion (Matwyshyn, 2009).
A number of factors led to and amplified the severity of the TJX breach. There was a personnel betrayal: the mastermind was an alleged FBI informant who previously helped bring down a massive credit card theft scheme but then double-crossed the Feds and used insider information to help his gang outsmart the law and carry out subsequent hacks (Goldman, 2009). There was a technology lapse: TJX made itself an easy mark by using WEP, a wireless security technology less secure than the stuff many consumers use in their homes—one known for years to be trivially compromised by the kind of “drive-by” hacking initiated by the perpetrators. And there was a procedural gaffe: retailers were in the process of rolling out a security rubric known as the Payment Card Industry Data Security Standard. Despite an industry deadline, however, TJX had requested and received an extension, delaying the rollout of mechanisms that might have discovered and plugged the hole before the hackers got in (Anthes, 2008).
The massive impact of the TJX breach should make it clear that security must be a top organizational priority. Attacks are on the rise. In 2008, more electronic records were breached than in the previous four years combined (King, 2009). While the examples and scenarios presented here are shocking, the good news is that the vast majority of security breaches can be prevented. Let’s be clear from the start: no text can provide an approach that will guarantee that you’ll be 100 percent secure. And that’s not the goal of this chapter. The issues raised in this brief introduction can, however, help make you aware of vulnerabilities; improve your critical thinking regarding current and future security issues; and help you consider whether a firm has technologies, training, policies, and procedures in place to assess risks, lessen the likelihood of damage, and respond in the event of a breach. A constant vigilance regarding security needs to be part of your individual skill set and a key component in your organization’s culture. An awareness of the threats and approaches discussed in this chapter should help reduce your chance of becoming a victim.
As we examine security issues, we’ll first need to understand what’s happening, who’s doing it, and what their motivation is. We’ll then examine how these breaches are happening with a focus on technologies and procedures. Finally, we’ll sum up with what can be done to minimize the risks of being victimized and quell potential damage of a breach for both the individual and the organization.
- Information security is everyone’s business and needs to be made a top organizational priority.
- Firms suffering a security breach can experience direct financial loss, exposed proprietary information, fines, legal payouts, court costs, damaged reputations, plummeting stock prices, and more.
- Information security isn’t just a technology problem; a host of personnel and procedural factors can create and amplify a firm’s vulnerability.
Questions and Exercises
- As individuals or in groups assigned by your instructor, search online for recent reports on information security breaches. Come to class prepared to discuss the breach, its potential impact, and how it might have been avoided. What should the key takeaways be for managers studying your example?
- Think of firms that you’ve done business with online. Search to see if these firms have experienced security breaches in the past. What have you found out? Does this change your attitude about dealing with the firm? Why or why not?
- What factors were responsible for the TJX breach? Who was responsible for the breach? How do you think the firm should have responded?
1Particular thanks goes to my Boston College colleague, Professor Sam Ransbotham, whose advice, guidance, and suggestions were invaluable in creating this chapter. Any errors or omissions are entirely my own.
Anthes, G., “The Grill: Security Guru Ira Winkler Takes the Hot Seat,” Computerworld, July 28, 2008.
Goldman, D., “Cybercrime: A Secret Underground Economy,” CNNMoney, September 17, 2009.
King, R., “Lessons from the Data Breach at Heartland,” BusinessWeek, July 6, 2009.
Matwyshyn, A., Harboring Data: Information Security, Law, and the Corporation (Palo Alto, CA: Stanford University Press, 2009).
This is a derivative of Information Systems: A Manager's Guide to Harnessing Technology by a publisher who has requested that they and the original author not receive attribution, originally released and is used under CC BY-NC-SA. This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.