What is the Target-Effect?
Submit your questions to: [email protected]
This week we have a somewhat cynical question from Mr. Stephen Blakley of Pasadena, CA:
“Q: What is the "Target effect" and are retail organizations really getting serious about security?”
Well, Mr. Blakley, the Official Mr. Security Answer Person Dictionary has this definition for that term:
Tar·get Ef·fect [tahr-git] [ih-fekt] noun
- Something that is produced by using a bull’s-eye as your corporate logo; result; consequence: If both your company’s name and its logo invite attacks, you might want to avoid the Target Effect by at least paying attention to the Critical Security Controls.
- A mental or emotional impression produced, as by the rapid resignation of both a CIO and CEO: The Target Effect has many CISOs wondering if getting LinkedIn requests from the CEO and CIO is really a good thing.
3.The net result of focusing on compliance over customer security before a breach, and focusing on corporate liability over customer security after a breach: The PCI compliance regime sure has produced at lot of Target Effects.
As to your second question, Mr. Blakley, retail is a very varied world, from the guy in the cardboard box at Fisherman’s Wharf who takes credit card payments for telling your fortune, to retail giants like Walmart, Target, etc. The same wide range holds for on-line only retail merchants.
I think a lot of the biggest security problems in retail come from the “brick and mortar” retailers who moved into online selling. The physical retail industry has long dealt with “shrinkage” (employee theft and shoplifting) as their major security risk, because it was a 3% impact to their bottom line – 1.5% due to the actual loss of inventory, and 1.5% spending on loss prevention to keep shrinkage to 1.5%.
That loss prevention mentality, and the tendency to think 1.5% of IT spending would provide enough security, didn’t work very well when the big Brick and Mortar retailers grafted on online selling. Walmart had a major hacking incident back in 2006 and everyone remembers the huge TJ Maxx breach in 2007. Target apparently didn’t learn much from these earlier “Effects.”
Another reason it is hard for retailers to “take security seriously” is the wacky world of credit card payments and the PCI compliance regime that has mainly been set up to protect the card brands and banks, vs consumers or retailers. That is a very long topic I won’t get into today, but you can get a flavor by reading the comma-laden first line of Dickens’ “A Tale of Two Cities” here. Or you can buy the entire book online!