The now infamous security breach at Target happened during last year’s holiday shopping season, but its effects are still felt five months after the whole fiasco began. In a recent turn of events, Chief Executive Officer Gregg Steinhafel stepped down from his post in the first week of May, causing corporate boards across the United States and the world to reassess the importance of data security oversight and reconsider the far-reaching impact of cyber crime.
The Secret Fraud of 70 Million Customers
Between Nov. 27 and Dec. 15, 2013, as many as 40 million Target customers were exposed to fraud. On Dec. 13, the U.S. Justice Department met with Target executives to discuss the matter. In the next several days, Target hired a third-party forensics team to investigate the security breach and discovered that cyber criminals installed malware on its point-of-sale network. The company removed the malware from registers across the country to prevent future attacks, though it did nothing to undo the theft that was already done.
People still didn’t know what was going on, but on Dec. 18, the blog Krebs On Security reported about the fraud, prompting the Secret Service start an investigation. Finally, on Dec. 19, Target publicly acknowledged the security breach, reporting that credit/debit card numbers and expiration dates were compromised.
Fast forward to Jan. 10, 2014, and Target announced that an additional 70 million customers were exposed to fraud, and that this time, email addresses were determined to be also compromised.
How Target Lost the Game
Target laid off 475 employees, both at its Minneapolis headquarters and branches all over the world, and left another 700 positions unfilled. Costs related to the breach amounted to $200 million. Sales were at an all time-low. In Q4 2013, profits dropped by 46 percent compared to the same period in 2012. The company’s stock fell more than 3 percent. But in spite of the low sales, Target invested $100 million in improving security standards. First, it provided customers with free credit monitoring and fraud detection. Next, it transitioned to chip-and-PIN technology for credit and debit cards in an effort to improve security and regain the trust of its customers. It also focused on a new approach to security standards after Chief Information Officer Beth Jacob left the company in early March. Bob DeRodes, with his 40 years of experience in information technology, replaced Jacob as CIO.
Then, on May 5, 2014, CEO Gregg Steinhafel resigned from his post after 35 years of working for the company. He and the corporate board agreed that it was the right time for Target to be under a new leadership, making him the first big boss of a major corporation to lose his job over a security breach involving customer data. Upon Steinhafel’s exit, CFO John Mulligan was named interim CEO.
Steinhafel’s resignation highlights the fact that CEOs are now at direct risk in this age when security breaches are becoming increasingly common.
Steinhafel served as Target’s public face, so when the company lost the good reputation it had built and the trust it had gained over the years, it needed to start with a clean slate — and that included letting the incumbent CEO go.
Why Everyone’s Paying Attention
According to What Directors Think, a 2014 survey released by integrated corporate resources suite NYSE Governance Services and executive search firm Spencer Stuart, boards are now looking for directors with a strong IT background, along with other expected attributes such as CEO experience, financial expertise, and industry knowledge. Almost 600 directors from various industries participated in the said survey.
Furthermore, 40 percent of those surveyed said understanding of risk oversight still has plenty of room for improvement. Risks come from many sources, but a big portion of them now comes from developments in technology. Boards need to assess their IT skills to determine whether or not they can handle IT issues from social media blunders to nationwide data leaks.
The survey results show that boards are already aware of their need, but the Target security breach further drives it home. If they haven’t realized it before, then CEOS and corporate boards are realizing now just how much is at stake if IT risk oversight is not as strong as it needs to be. And this time, it’s personal. It’s no longer about laying off people in middle management anymore. C-suite managers stand to lose their jobs, too. It’s a threat business leaders in previous generations didn’t have to face. But in this digital age, it’s a very real possibility.
The immediate and long-term effects of the security breach on Target also highlight the magnitude of losses a company can incur after just one incident of cyber crime. Although Target is recovering slowly, it’s still reeling from the consequences. If a company as big as Target isn’t spared from cyber crime, then what are other companies doing to ensure their preparedness? This question is definitely food for thought for corporate boards.
What You Need to Learn From This
The effects of today’s technology risks are almost immediate, leaving companies with a short time to react and perform damage control after an incident. The best approach, therefore, is offensive AND defensive. Prevention is critical more than ever because the cure can’t bring back damaged reputation and broken trust. But with the growing number of threats everyday, blocking all attacks may not be a realistic goal. In some cases, early detection and quick mitigation of effects are more productive as an approach to handling cyber threats.
Another lesson: As always, communication is key. In the event of a security breach, customers should be informed as soon as possible. It’s their right to know what’s happening to their personal data, and it’s also a good way for companies to save their reputation. The fact that the Target security breach was first reported by Krebs on Security and not by the company itself didn’t help matters in any way. People were left confused and panicked, causing them to clog up Target’s customer service hotlines.
To sum up, technology isn’t exclusively the IT department’s and the CIO’s concern anymore — it’s the whole C-suite leaders’ and the corporate boards’. In order to make quick decisions in critical situations, business leaders should have IT expertise — and not just financial knowledge, managerial experience, or industry know-how — to save their companies and their jobs.
—
Directors will gain IT expertise faster if they’re comfortable with technology in the first place, and the only way to do that is to let them experience it.
A good way to begin is through Convene, a secure board portal solution that works on different devices and operating systems. Directors can use Convene to attend remote meetings from any location, access meeting documents whenever they want, and make digital annotations without losing the paper experience.
To know more about the software, request for a demo or quotation.
Farah is a corporate governance analyst and business development manager of Convene’s MENA team. Owing to her experiences working in a boardroom, she is an expert in leadership roles and corporate governance best practices. Farah has been recognized by Convene for her extra commitment in imparting knowledge about effective management.