Asset management critical to IT security

It's been a year since Target's data breach and retailers are still vulnerable even as the busiest shopping season kicks into high gear, warn security experts, largely due to a lack of focus on asset management.

IT spending among retailers reached roughly $70 billion in 2014, according to Dr. Barbara Rembiesa, CEO of the International Association of Information Technology Asset Managers (IAITAM). And still breaches continue with more shopper data stolen in 2014 than any previous year.  

It's a pattern likely to continue in 2015 as long as companies focus on window-dressing IT security solutions that fall short by failing to include a solid foundation of IT asset management (ITAM), Rembiesa said: "The Target debacle triggered an 8 percent increase in spending on 'IT security' but did very little to slow down the tide of major data breaches. The reality is that companies that have taken these steps are treating the symptoms but not the underlying problems. By focusing only on narrowly focused and superficial IT security 'solutions,' companies are putting the cart before the horse and they're going nowhere."

Retailers should be assessing security systems in a methodical manner, one that assesses priorities above costs, particularly when it comes to assessing third-party vendors (the source of Target's breach).

"In the past, retailers have prioritized based on dollars. Whichever I'm paying the most to is where I'll focus my risk analysis, but they should be prioritized based on risk, and risk doesn't neccesarily equate to dollars," said Carolyn Holcomb, partner and leader of PricewaterhouseCoopers (PwC) data protection and privacy practice.

"A significant number of the breaches are often caused by vendors but it's only been recently that retailers have started to focus on that," said Holcomb. "It's a fairly new concept for retailers to look outside their walls."
Have a plan in place, should a breach occur. Know who is responsible and what actions to take, advises Lillian Borsa, performance, governance, risk and compliance principal at PwC. "Know who is responsible and what actions to take. You should be prepared during this very critical holiday season."

What happens after a threat is discovered is as important as the discovery itself, according to Rembiesa. "Communications management accelerates the speed at which a discovered threat can be locked down and addressed."

Rembeisa points to Home Depot's (NYSE:HD)) breach in August 2014 as a perfect example. "That breach occurred during a patch on Microsoft Windows, which hackers exploited to steal and sell data from 56 million credit cards. Effective communications practices ensure that as threats are identified, they are not just addressed, but immediately communicated institution-wide in a way that allows for immediate quarantine," she said.

"When you look closely at the biggest data breaches of 2014, even the best IT security solutions alone could never prevent them. This has been the biggest ignored lesson of the year. If companies are to stop these attacks in 2015, they must first recognize that the true source of nearly all major breaches are more foundational and stem from nonexistent or inadequate IT asset management procedures."

It's also critical that retailers solicit input from multiple departments within an organization. "Reaching out to key stakeholders within the business to get that input is enabling them to think about this through a different lens," said Borsa.

Because asset management is not the same as IT security, it's imperative to manage vendors and address asset management, warned Rembiesa. "Focusing on IT security without addressing IT asset management may provide some degree of comfort in board rooms and C suites looking for a quick fix, but it is an illusion."

For more:
-See this IAITAM announcement

Related stories:
Home Depot confirms 53 million email addresses stolen, blames Windows
Add another to the list: Staples investigating data breach
Supervalu becomes latest data breach victim
Home Depot may have left data vulnerable
Home Depot and Target hacks the work of different groups