Target Case Analysis Example 2
docx
keyboard_arrow_up
School
Northeastern University *
*We aren’t endorsed by this school
Course
6204
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
3
Uploaded by DoctorCheetah9406
| Target Case | 03/17/2024
Q1: Who should be fired and why?
Beth Jacobs (CIO):
The CIO is responsible for the structure of Target’s systems and how they detect breaches. Furthermore, the CIO is responsible for how the systems are segmented and because the systems were not properly segmented, the hackers
gained access to customer data through Fazio. This was also done through the “POS
system which two months prior to the breach, the security team found vulnerabilities in”
1
, but failed to get the executive team to investigate. “FireEye, Inc. alerted the CIO’s security team to multiple malware intrusions however they were ignored”
2
, due to an inefficient naming process. The inefficiencies in this process fall
on the CIO who is responsible for the structure of these information systems. To make matters worse, the “system has an option to automatically delete malware as it’s detected, but the security team turned that function off”
3
. It’s unclear why this decision was made, however it falls to the CIO who already is inexperienced to be in
this role according to the ISS.
Gregg Steinhafel (CEO): The CEO misled and mishandled this cyber breach. To start he lied to the public when “he on CNBC he found out about the breach on 12/15/13 however the DOJ contacted Target’s executive team on 12/12/13”
4
. Target’s poor messaging caused more damage for its reputation but more importantly customer’s
data privacy and this ultimately falls on the CEO. On 12/20/13 CEO misled the public
again by writing “there is no indication that PIN numbers have been comprised.”
5
However, Target had to reverse course a week later, thus customers who previously thought their accounts were safe, potentially lost funds. Lastly the executive team knew that the POS system had vulnerabilities in it as mentioned above and chose not to act on it. The CEO would have been privy to this sort of information and failed
to protect customer data. Since the CIO reports to the CEO, both were privy to the above knowledge which could have prevented a breach.
Q2A: Prevention
PPT
Key Issues
Recommendations
People
CIO with lack of experience
Hire a CIO with more experience
Process
Poorly segmented networks and third party security
Fix segmented networks and
make third party partners improve their security systems
Technology
Inefficient and generic malware alert system
Develop a more robust alert system by classifying alerts based on potential severity
Q2B: Response
Facts
Causes
Resolutions
“Started prepping its stores and call centers to answer customer questions on 12/17/13”
6
Target initiated an investigation two days earlier Proactively create different lines of customer breach prep for stores and call centers through simulations
“Krebs on Security
released findings of the data breach to the public on 12/18/13”
7
Credit card issuers informed Krebs and Secret Service confirmed an investigation
Don’t refuse to confirm the incident but inform the public of information as it’s available
Q3A: Information security is part of the new R&C committee charter because this committee serves to mitigate risk and cybersecurity risk impact every aspect of Target’s business
BOD Oversight Steps
Example 1
Example 2
Understand Cyber Risk
Brief the BOD on different cyber risks and advocate for training on these risks
Bring in a third party cyber risk expert to evaluate previous cyber risk plans
Evaluate Approach
Develop training modules depending on employee function
Review previous approach to
cyber risk
Prioritize Cyber Risks
Diagnose cyber risk by seasonality and location, for example prioritizing cyber risk education during holiday
seasons
Advocate for more third party security system monitoring Technology Roadmap
Create pathways from the Advocate for improved
bottom up so that the BOD will be aware of future breaches, depending on severity level
internal and external firewall
protections
Testing Response Plan
Create simulations of breaches that different business functions will have to go through periodically
Develop a more customer friendly interface for when a breach happens in the future
1 2 3 4 56 7
Sourced: Srinivasan, Suraj ; Pain, Lynn ; Goyal, Neeraj “Cyber Breach at Target” Harvard Business School Case 9-117-027 January 10, 2019
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help