Target Corporation’s Failure to Secure Data
Target Corporation is a business focusing on providing retail and service dealing with a large amount of sensitive information about their customer and clientele. The company failed to detect and locate the installed Malware in the system leading the cybercriminals to steal vital sensitive information related to the clients. The company is thus required to implement a strict Information Assurance Plan (IAP) to discuss and understand the various risks and issues present in the organization. The data is collected and gathered to find out appropriate considerations that would be outlined that would significantly improve the data security and management in the organization. The Target Corporation aims to identify the data and the owned processes, effectively reducing the chances of risk occurrence and protecting vital information (Coburn, Leverett & Woo, 2018). The company aims to understand the type of data that can be accessed during the breach to find appropriate measures to respond to the breach, reducing their reputational and financial damage.
The Company Target Corporation has been dealing with many sensitive user data of their client and the employees. The organization significantly lacks effective measures to adhere to data confidentiality, integrity, and availability due to an effective information assurance plan. The Target Corporation had been negatively impacted by the breach, with 40 million credit and debit card information being interfered with by unauthorized personnel. The company also failed to protect the personal information of its clientele, with over 70 million accounts getting compromised. Vital information of victim names, debit and credit card dates, card verification numbers, date of birth, email address, etc. The data breach had proved how the company lacks to protect the user data present in their organization (Gwebu, Wang & Wang, 2018). The organization fails to have effective data management and governance strategy that could secure vital data (Lillie & Eybers, 2018). Thus, the need for a structured Information Assurance Plan is visible in the organization to lead to data security and address issues of the customers.
The Information Assurance Plan would consider security the highest priority, enforcing data confidentiality, integrity, and availability. The IAP would help prevent the disclosure of the information to any unauthorized system or individual, enforcing confidentiality. The plan would maintain the accuracy of data management and keep data consistent and clear over the entire lifecycle, ensuring integrity and, finally, ensuring that effective data management allows the availability of data whenever, wherever needed
The organization has focused on delivering effective data security measures for its clients and employees but fails to address the gaps in the traditional information assurance plan for a more customer-centric approach (Gupta & Ramachandran, 2021). The present plan comprises traditional data security awareness training sessions and upgrading the system by employing a new leadership strategy focusing on the importance of cybersecurity. The plan also helps state traditional security measures for managing their workstation, servers and operating systems. The practices that will be implemented are the use of effective data management measures by file data protection, secured web browsing, virus detection, and sophisticated security tools like smart cards and biometrics for business system security. However, the company lacks effective risk and patch management to recover from the issues and implement new upgrades for their existing systems. The major barriers to implementing a proper plan in the organization are the lack of funding, leading to a lack of appropriate resources (Qassim et al., 2019). The system’s barriers also lead to unauthorized access due to lack of security understanding and ineffective technical expertise inside the organization. The employees lack understanding of the requirement of data security and the need for a significant Information assurance plan.
The Need for an Information Assurance Plan
The organization, Target Corporation, is a retail company that handles a wide variety of personal and sensitive information of its employees and customers. The rise of the digitalization and globalization of technologies has led to negative impacts from sophisticated cyber threats. The major threats that can be found in the organization are cyberattacks like phishing scams, DDoS, data breaches, ransomware, card fraud, inventory hoarding leading to a denial of adding contents to the online cart and point of sale attacks in the form of debit card and credit card attacks (Khan, Brohi & Zaman, 2020). The company has previously faced a data breach in 2013, exposing a vast amount of personal data to cybercriminals. The negative threats majorly impact the Target Corporation that the organization faces from the hackers trying to steal vital information from the victim’s cards or target.
The attackers tend to install harmful Malware connected with the retailer’s point-of-sale system (Srinivas, Das & Kumar, 2019). The company has previously failed to identify the infected system for days, leading to major data threats. The Malware is used to record the data collected in the card machines, spreading itself to other vital parts of the organization (Alshamrani, 2019). The data collected by the cybercriminal can be interfered with or sold to illicit marketplaces (Tahir, 2018). The company fails to have a proper intrusion detection system and significantly strong firewalls to the network, server and system.
The system fails to have security measures for checking unauthorized access and blocking suspicious activities. The suspicious activities would negatively affect the organization, significantly decreasing the confidentiality and integrity of the information in the retail company. The other threat was visible in the company generation of fake receipts. The company is also impacted by the IoT vulnerabilities, as they are one of the leading innovations getting used to improve the inventory and staff tracking in the retailers. Ransomware tends to lock the data present on the network or device holding data for ransom (Hassan, 2019). The gift card systems and online retailer coins can get compromised, allowing cybercriminals to steal funds unconditionally using unfair receipts. The technologies are getting used in the organization to improve the retail supply chain that allows faster shopping. The retailers and vendors communicate with each other with increased connectivity to improve performance and operations.
The company has their employees in the dark with limited knowledge of the data security measures and threats. There are no measures for protecting the client data from unauthorized access. The major cybersecurity threats that the organization faces are Malware, which is installed in the system blocking authorized access, and harmful software that might make the system inoperable. The emotet is a recent data threat used as the modular banking virus or Trojan that functions as the downloader of other Trojans that can cause major financial threats (Kuraka & Kalla 2020). The man in the middle attacks occurs with cyber criminals trying to insert hacking measures between two-way communications between victims, filtering and stealing confidential data (Hussain, 2020). SQL injection technique allows inserting wrong codes into the server database using SQL codes. The infection helps in releasing server data. One of the most vital threats that the Target Organization face is failing to adopt appropriate measures to protect the user passwords that can happen from lack of strong passwords, breaking the standard security protocols. Another essential threat that might affect the Target Corporation is Social engineering, exploiting social interaction and stealing user data to gain access by faking to be the source of information (Mattera & Chowdhury, 2021). No patch management is seen in the company utilizing the software upgrades, leaving the company clueless without proper upgrades for the software present in the system. The system patches are meant to mitigate the vulnerabilities in the system to ensure data management in the software that operates in the organization. Thus, all these major threats must be analysed deeply to understand necessary considerations that can help improve the functionalities of the organisation’s operations.
Implementing the Information Assurance Plan
The information assurance plan made for the Target Cooperation would provide a set of guidelines, rules and protocols to protect their information technology assets. The new plan is made to ensure that the information available in the new system can be accessed only by the company’s authorised personnel. The security plan ensures compliance with the major factors that help in taking steps to mitigate the problems in data management that arrives in the system, preventing their negative impact. The current protocol and policies would start with conducting security awareness programs for the employees and customers, teaching them the knowledge on Data breaches and other cyber security issues. The employees are taught the effective measures to mitigate the issues with urgency. The security plan checks the integrity and availability of the data and information present in the workstations, servers and platforms. The company needs to implement a plan to enforce file protection measures, secure the web browsing experience, detection of Malware and viruses (Tsochev et al., 2020). The company has thought about regulating its current system with biometrics, smart cards and more to include an extra layer of security in the system (Lohachab, 2021). The system must detect intrusion, keep logs of necessary incidents to be analysed later, and allow constant and automated patches and upgrades to the system software. The plan also looks to find the best measures to secure physical security.
The company must focus on risk management by making a risk matrix for analysing the major risks present in the organization finding the individual severity and probability of the occurrence of the risk to derive the impact of the individual risk on the organization. The plan must be reviewed and regularly maintained according to the rise of the major risks in the organization (Aldawood & Skinner, 2019). The plan must be regulated accordingly to outline the principles and describe the procedure details. The organization must mitigate the problems with the ever-evolving issues of cybercrimes. The plan would provide an information security framework to make effective changes in the major principles derived, sustainably altering the effective practices to alter the way of operations.
The major areas of improving the information assessment plan are:
- Encrypt all the sensitive data stored around the organizational systems, applications, software, and database. The encryption allows the data present to be protected from cybercrime occurrences, providing appropriate measures to hide the data from unauthorised personnel. The encryption is mandatory to be automated and completed as required (Borky & Bradley, 2019)
- Regulate the file accessing permissions: The employees can be regulated as per the requirement of the business. Thus, his accessibility to the system must be regulated accordingly to define who can access the client and employee data, regulating the employee’s right to email, print, save or export from the organizational database.
- Protect data across applications: The data inside the device must be protected, introducing many potential vulnerabilities to the Target Corporation for the information made sharing files over the system network.
- Understand the current risks found in cybersecurity: The latest patterns and approaches of the current system need to be understood with urgency taking care of the current risk trends that arise in the organization.
- The standards of the system are needed to be regulated, building standards for providing appropriate IT governance strategy for risk management, designing the plan to help the company manage the security principles in a centralized manner (Kiff et al., 2020).
- The Information assurance plan must allow remote access to files, password development and management strategies, and guidelines for proper use.
The risk assessment done for the new information assurance plan facilitates describing the overall processes and the identified methods to detect the various risk and hazard factors that have the potential to cause the damage. The risk assessment also helps analyse and evaluate the risk associated with the hazard, known as risk analysis or evaluation. The best practices are identified as mitigation strategies aimed at removing the available threats in the system (Ghadge et al., 2019). The risk assessment is done to understand the factors, situations, and processes that may potentially harm the system, particularly the organizational employees.
The risk assessment strategy is the overall process containing identifying the risks or hazards, risk analysis, risk evaluation and risk control. Hazard identification is the process of listing, searching, identifying, categorizing and grouping the risk and hazards found in the system. Risk analysis is the process of understanding the risk nature and level of risk that needs to be determined (Crisafulli, 2021). The analysed information helps in finding historical and current data as the informed opinions, theoretical analysis and the perception of the users and stakeholders. The risk analysis with estimating the level of risks. The risk evaluation helps determine the estimated risk against the criteria of risks for determining the risk significance.
Barriers to Implementing the Plan
The risk assessment is needed to be conducted before new processes, or activities get introduced to the new system of Target Corporation. The existing processes are needed to be analysed along with the new processes, identifying their harm, level of probability, severity and impact. The risks are needed to be mitigated with urgency with best practices to eliminate, control and evaluate the risk present in the current system. The risk assessment needs to be documented at every step, outlining the details of the risks and assessing the situations.
A risk matrix helps with risk assessment, also termed the severity and probability matrix, a visualization tool that helps depict the risks that might affect the whole retail business. The risk matrix analyses the probability of the risks that determine the likelihood of the occurrence of the risks in the system that might originate, the severity or threat level of the risks, and the impact of these two factors of the risks (Adamson, 2022). The impact of the risk on the organization can be categorized into 4 types: Extreme, High, Moderate and Low. The Extreme is seen in “Red” colour, High is given in “Orange” colour, Moderate is given in “Yellow” colour, and Low is seen in “Blue” colour.
The risk matrix is used to understand the necessary task and prioritise the necessary risks with higher impact connected to them. The risk impact is calculated with robust analysis checking the present risk in the organization (Risk Matrix | ExamsPM.com 2020). The visualization tool is a major strategy for mitigating and managing the risks. The environment around the system is evaluated, evolving the analysis to provide a real-time view of the emerging risks. To develop the matrix, the risk landscape is needed to be identified to get a view of the bigger picture. The various strategic, operational and external risks are identified. The severity and the probability of the risk are needed to be discussed to determine the risk criteria. The risk is then assessed according to their level of impact matrix by multiplying the severity and probability chart to plot the serial number of the impact on the probability severity impact chart. The risk is prioritized according to its level of impact on the organization. The mitigation strategy is found to determine the approach for minimizing the impact of the risk on the various aspect of the Target Corporation.
|
Serial No. |
Risk |
Description |
Probability |
Severity |
Impact |
Mitigation Strategies |
|
1 |
Phishing Scams |
The malicious links are sent via email and media to gain personal information. |
2 |
3 |
6 |
The individuals need to check the links to identify spam and detect bad links. |
|
2 |
DDoS |
The attack disrupts the flow of traffic in the network of the company. |
2 |
2 |
4 |
Install specific network equipment made for protecting the network. |
|
3 |
Data breach |
The data gets stolen from the system of the owner without authorization |
3 |
5 |
15 |
Install a new Intrusion detection and mitigation system to monitor the network to find out the intrusion and mitigate the issues found. |
|
4 |
Ransomware |
The attack facilitates locking and encrypting the victim’s data and information. |
2 |
1 |
2 |
The system must ensure regular backups to not get disrupted and continue service even if attacked. |
|
5 |
Card fraud |
Scammers gain personal information to access the credit card’s value, leading to fraud. |
4 |
3 |
12 |
The card information must not be stored in the system at any cost to protect the vital information. |
|
6 |
Inventory hack |
Malicious codes can be put in the system to lead to the denial of adding contents to the online cart |
1 |
2 |
2 |
The network intrusion detection and mitigation strategies should help monitor the system regularly to check malicious codes that might hamper the flow. |
|
7 |
Denial at point of sale |
The denial at the point of sale allows blocking payments and stealing card information from the victims |
2 |
5 |
10 |
There should be an appropriate firewall in the system network and encryption to protect the data present at the point of sale. |
|
8 |
Failed malware identification |
The system lacks understanding of the points where the Malware has been installed in. |
5 |
5 |
25 |
The network intrusion detection and mitigation technique should be allowed to detect disruptions present in the network identifying the necessary Malware that can negatively affect the system. |
|
9 |
Lack of firewalls |
The lack of firewalls might lead to the network-facing unnecessary downtime from the malicious attacks |
4 |
4 |
16 |
The firewall must be installed to protect the network from every possible direction to mitigate the threats. |
|
10 |
Unauthorized access |
Cybercriminals can utilise the system by using unauthorized access to gain hold of the system. |
1 |
3 |
3 |
The company must take help from the network intrusion detection tool to mitigate the problems by implementing strategies like two factor and multi-factor authentication. |
|
11 |
Generation of Fake receipt |
The fake receipts can be generated to trick the victims into paying for the invoices they did not order. |
1 |
1 |
1 |
The proper audit should be in place to scrutinize the invoices sent to the users protecting client information. |
|
12 |
Gift card hack |
The technique allows the criminal to ask the victim to buy gift cards with several functions, leading to fraud. |
3 |
2 |
6 |
The gift card data should be tracked and monitored to detect the source delaying the activation of the gift card, adding a layer of security. |
|
13 |
IoT hack |
The system IoT that helps with the daily functions of the company might suffer from issues |
3 |
1 |
3 |
The network for the IoT can be segmented to improve its security, preventing hackers from accessing the network. |
|
14 |
Supply chain hack |
The attackers detect the components that lack proper security measures |
1 |
5 |
5 |
The organization can assume that all the network activity is malicious by default enforcing a “Zero Trust Policy Architecture” that would treat all the activities in the supply chain as harmful, finding intrusions faster. |
|
15 |
Lack of knowledge of security issues |
The organisation’s employee fails to understand the various types of attacks that might impact the organization negatively. |
4 |
5 |
20 |
There should be proper security awareness programs to develop enhanced learning on recent cyber-attack trends. |
|
16 |
Man in the middle attacks |
The attackers tend to come in between the conversation of the application and users in the system for eavesdropping or impersonate the information gained |
4 |
1 |
4 |
The company’s system must protect its network, servers, and workstations so that the conversation cannot be interfered with and be encrypted. |
|
17 |
SQL injection attacks |
Malicious SQL codes can be injected into the database to read and modify data from the databases and execute operations |
3 |
3 |
9 |
The databases should be protected using stored procedures and secured coding to implement input validation and sanitation. |
|
18 |
Lack of strong passwords |
Easy user credentials and passwords can be hacked to gain hold of personal information |
3 |
4 |
12 |
The employee’s password should not be the same; implementing long, complex passwords to enforce security. |
|
19 |
Social Engineering attacks |
The attackers tend to imitate being the victim gaining access to personal information using psychological manipulations. |
1 |
4 |
4 |
The network intrusion system, firewall and multi-factor authentication lead to authentication of the individuals trying to access the system checking their credibility. |
|
20 |
Modern Emotet attacks |
The emotet attack is a banking virus or Trojan used to spy on private banking data. |
2 |
4 |
8 |
The system should readily block access to email attachments that might contain Malware and do not get detected by |
|
Probability |
Severity |
||||
|
1 |
2 |
3 |
4 |
5 |
|
|
1 |
11 |
6 |
10 |
19 |
14 |
|
2 |
4 |
2 |
1 |
20 |
7 |
|
3 |
13 |
12 |
17 |
18 |
3 |
|
4 |
16 |
5 |
9 |
15 |
|
|
5 |
8 |
|
Impact Levels |
Colours |
|
Extreme |
|
|
High |
|
|
Moderate |
|
|
Low |
References:
Adamson, D. (2022, April 20). ” “. GetRiskManager. Retrieved April 22, 2022, from https://getriskmanager.com/?s=
Aldawood, H., & Skinner, G. (2019). Reviewing cyber security social engineering training and awareness programs—Pitfalls and ongoing issues. Future Internet, 11(3), 73.
Alshamrani, A., Myneni, S., Chowdhary, A., & Huang, D. (2019). A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities. IEEE Communications Surveys & Tutorials, 21(2), 1851-1877.
Borky, J. M., & Bradley, T. H. (2019). Protecting information with cybersecurity. In Effective Model-Based Systems Engineering (pp. 345-404). Springer, Cham.
Coburn, A., Leverett, E., & Woo, G. (2018). Solving cyber risk: protecting your company and society. John Wiley & Sons.
Crisafulli, J. (2021). Applying a Refined Approach to Cybersecurity Risk Assessments to the GE MAC VU360. Journal of Clinical Engineering, 46(3), 128-134.
Ghadge, A., Weiß, M., Caldwell, N. D., & Wilding, R. (2019). Managing cyber risk in supply chains: A review and research agenda. Supply Chain Management: An International Journal.
Gupta, S., & Ramachandran, D. (2021). Emerging market retail: transitioning from a product-centric to a customer-centric approach. Journal of Retailing, 97(4), 597-620.
Gwebu, K. L., Wang, J., & Wang, L. (2018). The role of corporate reputation and crisis response strategies in data breach management. Journal of Management Information Systems, 35(2), 683-714.
Hassan, N. A. (2019). Ransomware revealed: a beginner’s guide to protecting and recovering from ransomware attacks. Apress.
How to create risk matrix template in Excel – free download. ExamsPM.com. (2020, March 31). Retrieved April 22, 2022, from https://www.examspm.com/2016/08/16/risk-matrix-|template/
Hussain, M. S. (2020). Framework for Security Prevention from Various Attacks Especially in Online E-Transaction.
Khan, N. A., Brohi, S. N., & Zaman, N. (2020). Ten deadly cyber security threats amid COVID-19 pandemic.
Kiff, M. J., Alwazir, J., Davidovic, S., Farias, A., Khan, M. A., Khiaonarong, M. T., … & Zhou, P. (2020). A survey of research on retail central bank digital currency.
Kuraku, S., & Kalla, D. (2020). Emotet Malware—A Banking Credentials Stealer. Iosr J. Comput. Eng, 22, 31-41.
Lillie, T., & Eybers, S. (2018, August). Identifying the constructs and agile capabilities of data governance and data management: A review of the literature. In International Development Informatics Association Conference (pp. 313-326). Springer, Cham.
Lohachab, A. (2021). A perspective on using blockchain for ensuring security in smart card systems. In Research Anthology on Blockchain Technology in Business, Healthcare, Education, and Government (pp. 529-558). IGI Global.
Mattera, M., & Chowdhury, M. M. (2021, May). Social Engineering: The Looming Threat. In 2021 IEEE International Conference on Electro Information Technology (EIT) (pp. 056-061). IEEE.
Qassim, Q. S., Jamil, N., Daud, M., Patel, A., & Ja’affar, N. (2019). A review of security assessment methodologies in industrial control systems. Information & Computer Security.
Srinivas, J., Das, A. K., & Kumar, N. (2019). Government regulations in cyber security: Framework, standards and recommendations. Future Generation Computer Systems, 92, 178-188.
Tahir, R. (2018). A study on malware and malware detection techniques. International Journal of Education and Management Engineering, 8(2), 20.
Tsochev, G., Trifonov, R., Nakov, O., Manolov, S., & Pavlova, G. (2020, October). Cyber security: Threats and Challenges. In 2020 International Conference Automatics and Informatics (ICAI) (pp. 1-6). IEEE.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
