After reading a couple of articles are IT security breaches
that are currently being investigated by the US Secret Service, I have to
wonder if the companies involved had properly tried to control the risks or if
they decided that they could live with the risk and not put controls into
place. The first article that I found
was one about security breaches for a hotel management company called White
Lodging. The article can be found at http://www.nytimes.com/2014/02/01/technology/latest-sites-of-breaches-in-security-are-hotels.html?_r=0. The second article is about security breaches
at Michaels craft store and can be found at http://krebsonsecurity.com/2014/01/sources-card-breach-at-michaels-stores/.
In both articles the data seems to have been breached in a
similar fashion as the breach at Target and Neiman Marcus department stores where
a malware is uploaded to the point of service machine where credit cards are swiped. The data is captured during the processing
request where data is unencrypted in RAM for a brief period of time. After reading both articles, I couldn’t help
but associate the breaches with risk management for IT security. I wondered was this type of breach something
that was even thought of during the risk management analysis. Did the companies try to control this risk or
did they decide that they had enough control in place to minimize the risk
enough to accept it?
I’m certain that the magnitude at which these breaches have
spread were not part of their risk management process but were likely the
percentage of unknown risk that is associated with any project. I’m certain that with the wildfire that has
spread on this type of data breach that companies that take credit cards as
well as credit card vendors are taking notice and will have to either put
controls into place to reduce the likely hood of such large data breaches or be
forced out of business with all of the expense associated with the cost of
clean-up after these events occur but then again maybe they will just put the
cost onto the consumer.
