As Home Depot’s recent cybersecurity breach emphasizes, there is no time like the present to institute controls designed to prevent an attack. In the latest data security breach, Home Depot’s servers were broken into, compromising an estimated 60 million credit card numbers that were stolen. This would make it the largest data breach in history.
Aware of the risks of data breaches, just weeks after Target’s data breach went public in December 2013, Home Depot began designing a protocol to encrypt its payment card data. However, it tested its protocol for four months before signing a contract with a data security provider. By April, when the company signed a contract worth upward of $7 million with a data security provider to begin its new card security initiative, hackers had likely already compromised its payment systems. And when it learned that the hackers penetrated its system in early September, it had only rolled out the encryption system to one-fourth of its 2,200 stores in the U.S. and Canada.
There are likely to be far-reaching consequences. For Home Depot, their reputation is now compromised (likely having let cybercriminals access personal information without spotting it), and they will have to spend a significant amount on free identify theft protection for all of its customers.
However, businesses as well as their outside counsel should learn from Home Depot’s mistakes by taking immediate steps to design and implement a robust security framework that aligns their people, processes, and technology to maximize their protection.
Some examples of appropriate security precautions include the following:
- Design and deploy a regular training program designed to inform employees of the risks associated with mobile devices, malware, phishing, and other cyber-attacks that can expose confidential data
- Inventory data and create a data map
- Draft and enforce policies that restrict the use of cloud-based applications and file-sharing services
- Require the use of strong passwords and two-factor authentication
- Encrypt data that is proprietary, confidential or otherwise valuable
- Minimize the risks of mobile devices and the cloud by restricting the use of unsanctioned applications
- Know your cloud providers’ security infrastructure, policies and procedures
- Retain outside consultants to regularly test IT systems for cyber-attacks and system weaknesses
Law firms and businesses are generally conservative when it comes to adopting new technology, but they should expedite the decision-making process for security measures. Although it is eminently reasonable to test new tools thoroughly before employing them, speed in implementation is critical, as hackers are usually one step ahead.
About the Author