Companies that suffer major data breaches almost always portray themselves as victims of cutting edge attack techniques and tools. The reality, though, is often much more mundane.
Case in point: Target, which last year was hit with a major data breach that exposed to hackers data on some 40 million credit and debit cards and personal data on another 70 million customers.
[ It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
The retailer on on Thursday acknowledged that it could have mitigated or even avoided the breach had it paid closer attention to alerts generated by a security monitoring tools.
Target spokeswoman Molly Snyder said the company investigated but ultimately dismissed early signs of a data breach. "Based on their interpretation and evaluation of that activity, the [Target security] team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different," she said.
Target isn't alone in making such mistakes, says Joe Schumacher, a security consultant for Neohapsis, a security and risk consulting company.
"I have seen enterprises roll out very expensive systems to handle security monitoring, yet there is no subject matter expert for this technology or risks within the enterprise," he said.
Often, companies deploy security technologies with default alerts, resulting in many false positive warnings, Schumacher added.
"Any organization looking to implement security technologies should make the same investment in their people to help configure the technology," he said.
Eric Chiu, president and co-founder of HyTrust, a cloud security company, added that companies often ignore security alarms because they are numb to them, they get too many false warnings or because they are understaffed.
"You can have all the alarms you want, but unless you put security in a prominent position in the company and have enough staff to review them, those alarms don't mean anything," he said.
While alarms are great at signaling that something bad may be happening, they're just a means to monitor for inappropriate actions, he said.
In Target's case, a newly installed a network monitoring tool from security vendor FireEye alerted Target security personnel of malware on its networks on two separate occasions before it was hit by hackers, according to a Bloomberg BusinessWeek report. The installation of the tool cost Target around $1.6 million, according to Bloomberg, which interviewed several former Target employees, law enforcement officials and security researchers familiar with the case.
According to the report, a team of security specialists in Bangalore, India, spotted the alerts and relayed the information to counterparts at Target's headquarters in Minneapolis, who apparently failed to follow up.