The biggest data breach in retail history didn’t come as a surprise to ex-employees of Home Depot, the New York Times claims. Upon interviewing some of the staff – who wish to remain anonymous – it became very clear that information security was last on management’s list of priorities. Quoted in the newspaper, several former Home Depot employees said that ‘over the years, when they sought new software and training, managers came back with the same response: “We sell hammers.”
This ‘backward-thinking’ approach to information management can be immensely damaging to a company, as Home Depot has recently found out. Security experts were shocked that one of the world’s largest retailers was caught out so easily after the breach of Target, which affected more than 40 million cards last year.
Yet it’s not only poor staff awareness and a lack of appropriate training that led to the breach. According to the New York Times, Home Depot’s computer security was a “record of missteps”, which I’m sure many companies across America can relate to:
- Outdated software
Ex-computer security employees of Home Depot have said that managers relied on outdated Symantec antivirus software from 2007 to ‘protect its network’. This software scanned systems that handled customer information, leaving sensitive information open to an attack.
- Careless vetting of employees
In 2012, Home Depot hired a computer engineer to help oversee security at its 2,200 stores. As it happens, that engineer was responsible for deliberately disabling computers at the company where he previously worked and has since been sentenced to four years in prison.
As the story of Home Depot’s data breach unfolds, there is now no doubt that senior management were complacent about information security. Employees have said that the company was slow to respond and only belatedly took action.
They also said that the company performed vulnerability scans irregularly. The Payment Card Industry Data Security Standard (PCI DSS) requires large retailers like Home Depot to conduct scans at least once per quarter to maintain their compliance. Two former employees said that only data centers in Texas and Atlanta were scanned, and more than a dozen were ‘off limits’ for assessment.
Avoiding data breaches
No one said being cyber secure would be easy, but it’s much less painful than suffering a data breach.
Many businesses are choosing ISO27001 as the framework to base their information security management systems on. The international cyber security standard has long been regarded as the leading framework for implementing an information security management system (ISMS) that enables organizations to obtain an independent certification to prove their cyber security credentials.
Information security management frameworks like ISO27001 are not only critical for your survival, but they can help you address the process, people, and technology issues that can affect an organization’s level of cyber security. The international information security standard, ISO27001, mandates that:
- All employees of the organization shall receive appropriate awareness education and training. (A.7.2.2)
- All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. (A.11.7.2)
- Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. (A.7.1.1)
ISO27001 plays a key part in helping organizations in the fight against cyber crime. Our recent infographic gathers the latest facts and figures on cyber crime in the US, and offers suitable solutions to fight back. View the full infographic by clicking the image below: