The Wall Street Journal today, is reporting that Target Corp.'s CEO, Gregg Steinhafel, has been replaced, ending an open-ended story from the 2013 holiday season when personal information from over 70 million people was stolen due to extremely relaxed security. The company fought media and headlines, and while most of the public outrage has died down, I'm sure there's been an ongoing internal struggle to finally put the issue to bed.
Over the past several months, many have stated that Target could have done better with security, and that there were tell-tale signs that the company's consumer protection policies were lax. Security engineers were aware of potential issues and reported them to management, but management either didn't care or the communication was muddled. And, this really highlights what I believe we'll see more of in the very near future.
Attacks on consumer-oriented technologies are becoming more prevalent and more sophisticated, however, there's no excuse (in most instances) where better steps to bolster security can't be taken now. Through mitigation techniques and software, solutions are already available to handle the majority of sophisticated attacks, however, many companies take a wait-until-attacked stance.
Look at some of the most common evidences of security negligence today.
Many companies still supply end-users with Administrative rights to the PCs. This is one of the biggest security policy no-no's ever and after over 10 years of warnings, it's still accepted. The majority of malware unleashed today assumes the rights of the logged on user. Give the end-user normal rights to the PC and the issue goes away for the most part.
Now, take a look at the number of Windows XP computers still in use today. Netmarketshare shows that there's still almost 27% of all computer users using Windows XP. Throw in the latest critical Internet Explorer security flaw reported, along with granted administrative rights, and you have a recipe for complete disaster. Microsoft ended up patching the flaw, even for Windows XP, but this could be the last time the company doles out security updates for the operating system that expired on April 8, 2014. Windows XP is a petri dish for breeding the next big attack.
These are just a couple instances, but there's more. Don't think that antivirus software is enough. Even Symantec, the company relied on antivirus revenue for so long, knows that antivirus is dead. Symantec is now pushing out into deeper security waters, trying to save itself from being irrelevant.
For the larger, more public companies, CEOs stepping down due to stolen customer information over lax security will become commonplace. Someone has to take the responsibility and when the breach is so massive, and so painful to customers, the only recourse is that the CEO must go to show that the company takes customer angst serious.
For smaller companies, not in the public limelight, it may not be the CEO that steps down. In a lot of cases, the top person is the actual owner and I'm pretty sure that individual would not relinquish ownership. However, someone still has to be responsible. If management is privy to potential security issues and then does nothing about it, you can expect the resignation notes to fly, or the scapegoats to be ushered into the spotlight.
Don't get caught up in this mess. There are a myriad of security solutions available and a lot of them free. But, there's nothing more valuable than just stepping back, reviewing the company's security landscape, and making sure it gets reported it all the way up the management chain. If management refuses to do anything about it, at least you have your own butt covered.