US Retailer Target Breach: One Year On
Date: Dec 4, 2014
Guest post: Orlando Scott-Cowley, Mimecast.
One year after the Target data breach, there’s never been a better time to consider how vital email security is to maintain the sanctity of the supply chain. Email, by its very nature, directly connects companies large and small together creating opportunities for hackers to turn suppliers, partners or customers into unwitting victims of malware.
An obvious example of these dangers to the supply chain can be found in the Target breach which ran from November 27th – through December 15th last year and exposed credit card and personal data on more than 110 million consumers. The breach at Target appears to have begun with a malware-laced email phishing attack sent to employees at a heating, air conditioning and refrigeration firm that did business with the nationwide retailer.
Traditionally businesses have used security scanning or gateway services to make it harder for traditional spam or phishing attacks but these only usually protect users on the network and corporate managed devices. But determined attackers are increasingly using a combination of sophisticated social-engineering and targeted or spear-phishing emails in their attacks.
Securing your relationships with suppliers and third parties is quickly becoming a top priority for those who have learned a lesson from the Target breach. Since the evolution of BS7799 part 2, into its current form of ISO27001, considering how to secure suppliers’ systems and imposing your security controls on those third parties has been a key part of security best practice. It is, therefore, not a new idea, that we ought to ask our suppliers how they store, process and secure our data, transactions and connections.
At Mimecast we have elected to adopt ISO 27001 as the cornerstone of Mimecast’s Information Security Management System as it is globally recognized as the best framework to demonstrate audited and continual improvement and on-going security management. Recent additions to this framework (ISO 27001:2013) added greater emphasis on keeping supply chains secure. But this isn’t a guarantee of security, it’s only part of a much wider scope of protection, both theoretical and technological.
I also believe protection must be available to employees no matter the device used to access corporate email systems and without adversely affecting user experience.
For example, our own Targeted Threat Protection service immunizes all embedded links by re-writing them to point to Mimecast’s global threat intelligence cloud. This real-time security check protects against delayed exploits or phishing techniques that direct people to good websites at first, only to arm their dangerous payloads afterward.
Enterprises must protect the user when they actually click, so in the (un)likely event you experience the same fate as Target, you’ve supplied the best protection technologically available. This last line of defense has become the only defense against those who seek to abuse the trust we have in our business relationships.