“Saving money and being PCI-compliant is important to us, but equally important is protecting ourselves against intruders. Even though we have some breathing room with PCI, we are still vulnerable with WEP as our security key. It must be a risk we are willing to take for the sake of saving money and hoping [emphasis added] we do not get compromised.”
This is a quote attributed to a member of the IT staff at TJX. (The only source seems to be eWeek. I’ve tried finding the original court filings but was unable to dig them up, and I cannot find anyone else making mention of it.)
Supposedly, this was in response to several money-saving options that the CIO had suggested for keeping their budget in check:
“I think we have an opportunity to defer some spending from FY’07’s budget by removing the money for the WPA upgrade, but would want us all to agree that the risks are small or negligible.” (Also from eWeek)
In this light, of course, the quote at the beginning of the post sounds less egregious. The implication is, of course, that if the IT staff had not agreed on the security risk being low, the better encryption would have been implemented. But one wonders, since when is hope an integral part of security? Perhaps the IT staff was browbeaten into submission? Wouldn’t be the first time, if true. Business and organizational research has been studying such issues forever. Some of them are even classics on what not to do, such as the ever-insidious cases of the
I’ve already commented before that consumers were not turned off from shopping at TJX due to the security breach. While I’ve wondered why this might have been—some suggest it was because the credit companies, not the customers, footed the bill, so customers haven’t felt the pain, except for the ID theft that may never occur—now I wonder if consumers will rethink their position once such details come to light in the popular media (I love eWeek, but most people don’t read this particular publication). After all, it’s one thing to forgive somebody who was caught with his pants down, and another to forgive someone who intentionally decides to flash you, in keeping with the expression. Fact is, TJX actively decided not to go with stronger encryption and “hoping not to get compromised,” which is a breach of another kind: a breach of customer trust. If something like this had happened in
The silver lining on this particular cloud is that the TJX case will definitely provide IT department heads everywhere with the potential impacts of security breaches on the bottom line. Projections will be possible; discounted cash flows will calculated; risk scenarios will be assessed with “concrete” numbers; etc. This will in turn give the IT departments resources to use best-of-breed security measures, such as encryption services provided by AlertBoot.
Whether your company is an SMB or regularly covered by Fortune magazine, security and data protection will grow to be one of the most pressing issues, if it isn’t already. AlertBoot can be used for securing entire hard disks with advanced encryption. Setup and deployment is easy, with minimal involvement by your company’s IT staff, allowing them to concentrate on more valuable tasks. No company needs to trace TJX’s steps to figure out that hope is not a shield when it comes to data protection.