Late last month, Home Depot reported 56 million cardholders were compromised in what The New York Times called the “largest known breach of a retail company’s computer network.” To put that number in perspective, 40 million cards were compromised in the Target breach, 2.6 million in the Michaels breach, and 350 thousand in the Neiman Marcus breach.
According to reports, the hack hasn’t significantly impacted Home Depot’s growth prospects, and the company announced last week that sales have progressed as expected this quarter. However, we have seen a direct correlation between security breaches and lost revenue. Target missed analyst estimates due to large-scale security concerns – and the hack also cost chairman and CEO Gregg Steinhafel his job. According to reports from Bloomberg, the world’s largest home-improvement chain expects to pay about $62 million this year to recover from the incursion, including everything from call-center staffing to legal expenses. Insurance will pick up $27 million of that tab.
Something about the Home Depot breach strikes me as a bit ironic. This company has been a major part of the DiY (do it yourself) movement – and unfortunately, we have seen that trend spill over into areas that should be the domain of professionals. Of course, I’m thinking of information security.
We’ve all fallen victim to the HGTV effect at one point or another. They bring in an expert with decades of experience to do a major project, and at the end of the 30-minute program, we get to see the flawless finished product. When it looks that easy, we can’t help but think, “I could do that.”
Having the right tools always helps. After a quick trip to Home Depot, I might have everything I need to build a sturdy table or tile a floor. But no amount of professional-grade equipment is going to make it possible for me to build an entire house. You need more than great tools to complete a project of that scope – you need serious experience and know-how.
Similarly, in security, a good tool can go a long way. While I work for a vendor that sells penetration testing tools, we’re the first people to acknowledge that software and hardware alone are not enough to manage a massive enterprise security program. You need security professionals and experienced leaders who can keep the team (and the tools) operating effectively. Just as a professional contractor can make an old kitchen look like new, a security professional can help you put the proper protocols and processes in place.
A great example of relying on tolls and not on talent can be seen in Target. They invested heavily in high-end security tools. Everyone in the security industry knows they had FireEye in place, and when an intrusion was detected, it worked just as it was supposed to. It identified the issue, but nobody within the security team ever addressed it. While they had the right tools in place, they didn’t have an effective process for responding to the red flags the tools were generating. Perhaps the biggest indication that they valued tools over know-how was that they didn’t have a chief information security officer (CISO) in place. Without a leader who has visibility into the entire security operation, who would be responsible for implementing and maintaining those essential protocols and processes?
For some reason, corporations think nothing of bringing in professionals for finance related activities, human resources, training, etc. but are hesitant to spend money on true security professionals. I’m all for do it yourself and I am a big fan of both Home Depot and the weekend project. However, I am also a big believer that certain activities should be left in the hands of trained professionals. Taking on a small-scale security project? The right tool might be enough to get your team by. Running a major enterprise security program? You better have experienced leadership in place to tackle that job.
More from Mark Hatton
- If Passwords Received as Much Attention as PSI We’d All Be More Secure
- A Key Step to Improving Network Security: Challenge the Status Quo
- Sometimes, Perception is Just as Important as Reality
- Cyber Security Coming to a Screen Near You
- In Security, Prioritization should be a Priority
- America’s Do It Yourself Warehouse Shines a Light on the Problem of Do It Yourself Security
- Nothing Supports Winning Like Continuity: What Security Can Learn from the NFL
- Halfway There – Where Does Security Stand?
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
