Middle-Aged, Sexist Rap? A Critical Review Of “I’m A F’n C I Double S P”

Other than, arguably, being middle-aged, I’m not talking about myself of course.

Instead, I am referring to a new video by A-list infosec personality and vlogger Mr. Javvad Malik, in conjunction with what I can only presume are some unemployed hangers-on - a pitbull who would love the validation of an award (hint: you can vote for SecurityWatch instead), and some bald grandad enjoying his last swansong before going to blogging heaven.

The 2m 33s clip was made recently in response to a Dan Raywood article in which it was suggested that the CISSP (Certified Information Systems Security Professional) was not modern enough:

“An issue for the industry, and for (ISC)2 in general, is that the membership may be seen as middle aged and out of touch.”

Such an observation is not shared by Javvad and the other members of Host Unknown though who said:,

“To us, the CISSP has always been for people of varied backgrounds and skills, and like a good pair of flared corduroys, has never really gone out of fashion. Yet how could we demonstrate it’s appeal with the infosec practitioners around the world, let alone (ISC)2, and show that not only can you save the world with a CISSP but you also get the girl (or boy)?”

Via a video. Obviously:

So what can we learn from the Mr. Cent inspired video?

Well, the first point that springs straight to mind is the fact that Langford and Agnes are holding Malik back.

Malik’s performance throughout the entire presentation is as flawless as ever, delivered with a consummate ease that betrays his professionalism and natural talent in front of the camera. From the moment the film begins he oozes such charisma and sex appeal in equal measure that no-one would be surprised in the slightest if he and all four of the young dancers enjoyed a wild after-filming party in true rockstar fashion.

Contrarily, Langford was completely wooden and so obviously scripted that I actually noted three separate occasions (0:56, 1:02 and again at 1:11) where he had to search around for the teleprompter in order to regain some idea of why he was there.

We save the worst performance for last though. Agnes who, it has been alleged, is a serial under performer in many different contexts, surpassed even himself with his portrayal of a rap star. If you can see past the gross and blatantly fake bling you’ll see a performer in the wrong profession, a rapper who can’t rap and a hypocritical  infosec professional who publicly denounces booth babes at trade shows whilst validating himself with hired hot totty at home. It is this reviewer’s opinion that he should stop fantasising about penetration testing the lady in red and get back to trying to look busy in the office.

Of course I’m joking; I think that Jav, Thom and Andy are great and the video is both clever and funny and makes the valid point that the CISSP is open to everyone, not just those of a certain age.

Privacy Incursions – Where Exactly Should The Lines Be Drawn?

Privacy is a big deal these days and rightly so in my opinion.

Everything we do, and everywhere we go, is seemingly being watched and there appears to be a growing resistance to it under some circumstances.

But the one thing that really stands out to my mind is how different people feel about their own personal privacy and what each of us deems to be acceptable or not.

For instance, the majority of people I know take umbrage at the fact that various governments around the world are keeping tabs on web activity, even if it does come under the umbrella of ‘keeping us safe’ from all the bad guys who want to destroy us and our way of life.

But, curiously, many of those same people think nothing of going onto their favourite social networks and sharing their entire life stories with distant relatives, friends and (potentially) millions of other people they do not know at all.

Equally, I also know a few people who constantly whine about CCTV surveillance and traffic cameras but who don’t give a second thought to having their own personal cams inside their houses so they can monitor what their kids get up to whilst they are out at work.

Mixed messages much?

So with the above in mind I give you the story of a New York restaurant that uses Google to check out its patrons before they arrive to dine.

The maitre d’ at Elvedon Madison Park restaurant starts his day by using the web to check out the eating establishment’s bookings for that evening.

Justin Roller Googles every diner in the hope of finding out as much as possible, the intention being to make their attendance an experience to remember.

Roller goes way beyond learning first names and looking at faces – he also wants to know whether a guest is a wine fanatic or a chef (I wonder if the latter would affect the level of service given?) He also wants to know where diners are from so that he can match guests with servers from the same area if possible.

He also wants to try and determine the reason for the visit – if it is a birthday or other special occasion he can then use that information as part of his greeting.

Now some of you may be thinking this is great service to the customer and of benefit to the restaurant itself and, in many ways, it is.

But one person’s delight is anothers’ cause for concern.

To my mind, being wished a happy birthday by a stranger on a night out is a little creepy – sure I’ve arranged for the same for a significant other, along with banners and a cake, etc., but that was my choice about how their birthday information was shared – I don’t want retailers and other service providers presuming that information shared on the net is business data (and the same would go for those companies that used to spam me rubbish on my birthday via snail mail years ago when I was far less savvy than I am now).

It isn’t. And thats how I want it to remain.

I’m not you though so my thoughts may be completely alien to your views.

What do you think about companies digging into your life prior to doing business with you? Are you concerned that they may dig too far? Or would you be happy to deal with a business that knows you better than they ought to?

Heartbleed Bug – What You Should And Shouldn’t Do

If you are looking for information about the Heartbleed bug and what you, or your business, should do next then the good news is that there is already a huge amount of information on the net and in mainstream media. The bad news, however, is that some of the advice on offer isn’t the greatest.

The Heartbleed bug is a vulnerability in a component of recent versions of SSL which is used by many services across the web including banks, email providers and shops, to provide a secure connection between the service and the user. Whilst the average web user may not be aware that they have used it, they will undoubtedly be familiar with the padlock icon in the top left corner of their browser which denotes that it is in use.

At around the same time that the flaw was identified, an online tool was released that allows anyone to force a web server running a vulnerable version of SSL to dump the data it has most recently processed. The information available from that data could be anything but there is a very real chance that it could include the usernames and passwords of recent visitors, administrator credentials and all manner of other sensitive data.

Anyone using such a tool on a vulnerable server could continuously dump data from the same or different sites and quickly compile a huge list of login credentials.

That is why many websites, bloggers and news outlets are advising everyone to change their passwords but there are some dangers associated with such simple advice.

The main issue is that some people may rush out to change all their passwords without arming themselves with additional essential information.

Should you change your password on a site that is vulnerable to Heartbleed, but not yet patched, then you will have achieved nothing and may even have made matters worse as your new password will now likely be easier to snag when the bad guys dump the server’s recent data. And don’t forget that the publicity surrounding the bug means that the number of people trying to take advantage of it has likely increased exponentially over the last few days which makes that possibility all the more likely.

Therefore, it would be advisable to do a little research before changing your login credentials.

Before changing any passwords you will want to know:

  • Was the website vulnerable in the first place
  • Has the server been patched yet
  • Has the site ejected its previous SSL certificate and replaced it with a new one
  • Has the entity behind the site confirmed that it has been fixed

To help you out I have listed a few high profile sites below to get you started:

Service Is it vulnerable? Has it been patched yet? Should you change your password?
Amazon No Not Needed Yes, if reused on another service that is vulnerable
Amazon Web Services Yes Yes Yes
Apple Unknown Unknown Unknown
Barclays No No Yes, if reused on another service that is vulnerable
Dropbox Yes Yes Yes
eBay No Not Needed Yes, if reused on another service that is vulnerable
Evernote No Not Needed Yes, if reused on another service that is vulnerable
Facebook Yes Yes Yes
Fox News No Not Needed Yes, if reused on another service that is vulnerable
GoDaddy Yes Yes Yes
Google/Gmail Yes Yes Yes
Hootsuite No Not Needed Yes, if reused on another service that is vulnerable
HSBC No Not Needed Yes, if reused on another service that is vulnerable
If This Then That Yes Yes Site will force a password reset
LinkedIn No Not Needed Yes, if reused on another service that is vulnerable
Lloyds No Not Needed No
Microsoft services No Not Needed Yes, if reused on another service that is vulnerable
OkCupid Yes Yes Yes
PayPal No Not Needed Yes, if reused on another service that is vulnerable
Pinterest Yes Yes Yes
RBS/Natwest No Not Needed Yes, if reused on another service that is vulnerable
Reddit Yes Yes Yes
Santander No Not Needed Yes, if reused on another service that is vulnerable
Tumblr Yes Yes Yes
Twitter No Not Needed Yes, if reused on another service that is vulnerable
Vimeo Yes Yes Yes
Walmart No Not Needed Yes, if reused on another service that is vulnerable
Washington Post Yes Yes Yes
Wikipedia Yes Yes Yes
Yahoo/Yahoo Mail Yes Yes Yes

If you are concerned about sites not included in that list, and you likely are, then there are several tools available to help you determine whether or not a particular site is vulnerable:

If you identify that one or more of the sites you use is vulnerable you will then need to find out whether the problem has been fixed or not. The best way to do so is my visiting the site itself, or accompanying blog, where that information should be prominently displayed (one would hope). If it is not obvious whether the site has fixed the vulnerability then do yourself, and other web users, a favour by contacting the company or site owner and asking for confirmation.

Only when you have discovered a site that was both vulnerable, and subsequently fixed, should you change your password.

When you do so, remember our 10 tips for making a secure password:

  • passwords should be a combination of letters, number and symbols
  • never reuse passwords on multiple sites
  • change passwords regularly
  • passwords should be at least 8 characters in length
  • mix upper and lower case letters
  • avoid using ‘dictionary words’
  • never make a password from personally identifying information such as pet or family member names
  • avoid common words, even in combination with other symbols or numbers
  • never share your passwords with anyone
  • use a password manager so you can keep track of all your passwords without writing them down

Furthermore, when changing any passwords as necessary, it would be a good time to see if the site offers two factor authentication which will add an additional security layer and make it much harder for an attacker to access the account, even if they do acquire your password.

Lastly, remember that popular news stories often lead to other types of attacks – be on your guard for emails suggesting that you click through some link to access Heartbleed bug detecting tools or offering fixes. Whilst some security companies may genuinely be sending out such tools or advice, phishers will likely be using such bait to snare additional victims too.

Thanks to Sarah Clarke (@S_Clarke22) for inspiration.

Report: Only 44% Of Employees Receive Security Awareness Training

A new survey from Enterprise Management Associates (EMA) reveals the relationship between employees’ approaches to information security decisions and the risks posed to the organisation.

The poll encompassed over 600 employees from a range of businesses employing less than 100 staff, up to organisations with over 20,000 employees.

With the aim of understanding security awareness training in a range of sectors including public and private companies, government and non-profit groups, the key findings of the report were:

  • 56% of corporate employees, excluding those who work in the security or information functions, have never received any security or policy awareness training
  • 45% of those who do receive awareness training said it came in one annual session

Such a lack of security awareness may suggest that employees are likely to engage in potentially risky behaviour and such a hypothesis is borne out by other report findings:

  • 59% store work-related information in the Cloud
  • 58% keep sensitive information on their mobile devices
  • 35% have clicked on links found in email received from an unknown sender
  • 33% reuse personal passwords for their work devices
  • 30% leave their mobile devices unattended in their vehicles

David Monahan, research Director at EMA, said,

“People repeatedly have been shown as the weak link in the security program. Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don’t realize what they are doing is wrong until a third-party makes them aware of it. In reality, organizations that fail to train their people are doing their business, their personnel and, quite frankly, the Internet as a whole a disservice because their employees’ not only make poor security decisions at work but also at home on their personal computing devices as well.”

Whilst the report highlights the need for security awareness training it also touches on the quality of such programs too.

In my own experience, and from what I have heard from others, it seems that many organisations still approach such training from a point of believing it is something that they ought to do, rather than actually understanding the benefits on offer to the business of delivering a quality and engaging program.

Security awareness, a simple concept to those who work in the industry, is often seen by other staff as something that is complicated, boring or an interference to usual working practices and so it needs to be offered in a fun and easily understood format.

EMA survey respondents seem to agree with 66% saying that training materials need to be easy to understand and fifty-nine percent saying that interactive activities are a keen aid to learning – sitting somebody in front of a screen with a lame bit of CBT running just isn’t the way forward folks.

With many organisations becoming increasingly aware of the risks of data breaches and other potential security risks I would like to think that they will consider all avenues when hardening their defences. Bolstering infrastructure, patching software, employing competent security personnel, etc. is all well and good, but, it is all for naught if the majority of employees in the business aren’t armed with the basic knowledge required to avoid phishing runs, social engineering attacks and simple techniques for keeping bad code and bad people away from the corporate networks.

If you need security awareness training for your organisation – and lets not forget that even some of the least expected organisations do get caught out by ruses as simple as phishing – then you need look no further than BH Consulting which can provide onsite security awareness training courses tailored to your needs. Our experts will work with you to identify your primary needs and develop a security awareness program specific to you and your organisation.  This program can be then delivered via a series of onsite workshops, train the trainer sessions or via an online portal. Learn more here.

Education Key To The Future Of Security; GCHQ Agrees

There have been many hot discussion topics around the area of security recently, with much said about data breaches, breach disclosure, privacy and, of course, government surveillance.

One other area that has received a lot of chatter lately is in the area of education and preparing the next generation for careers in this wonderful field.

Thats nothing new of course – over the past 7 or 8 years I’ve often seen much said about how the industry is growing and how demand for top quality personnel cannot be met by the number of IT students currently in the required areas of study (such conversations normally go hand-in-hand with observations about how infosec fails to attract women into its ranks too).

But recently we have seen new measures taken to address that deficiency with the UK government last month promising new learning materials to children as young as 11 in order to publicise jobs in the sector, following comments from the National Audit Office in February when it said that a lack of skilled workers was hampering the country’s fight against cyber crime.

Other initiatives have sprung up recently too such as Cyber Streetwise, funded by the National Cyber Security Programme, with the intention of significantly improving “the online safety behaviour and confidence of consumers and small businesses (SMEs).”

Additionally, the Cyber Security Challenge, continues to become more prominent as it “aims to bring more talented people into the Cyber Security Profession.”

And now, according to the Independent, we have the UK’s surveillance industry offering official certification for master’s degrees in cyber security.

In a briefing note sent out to universities by GCHQ, the spy agency says that there are now a “significant number” of masters degrees on offer in the UK which incorporate elements of cyber security and this makes it difficult for students and employers alike to differentiate between the various courses.

Therefore, GCHQ has asked the educational establishments to apply to have their courses certified in order to allow students to say that they have “successfully completed a GCHQ-certified degree.”

The key benefits of a Certified Masters in Cyber Security are, according to GCHQ:

  • providing guidance to prospective students and employers on the content and quality of such degrees
  • providing Masters students who have completed their certified degree with an additional form of recognition – i.e., that they have successfully completed a GCHQ certified degree
  • helping to further enhance the quality, focus and relevance of Masters degrees
  • helping universities with certified Masters degrees to attract additional numbers / higher quality students both from the UK and abroad
  • helping employers (in industry, government and academia) during the recruitment process to better understand, and distinguish between, the Masters qualifications of job applicants

Professor Fred Piper was the founding director of the information security group at Royal Holloway, which offered the first cyber security master’s in the UK back in 1992. He has been working with GCHQ to develop the criteria for the new certification:

“When we launched our masters in 1992 it was unique. Then cyber security became a buzzword, and now there are courses everywhere. Some are very good, while some are good but do not really focus on cyber security. At the moment there’s no way of knowing which courses are strong – there are so many qualifications out there, that when people ask which course they should take, it is very hard to say.”

Universities that already offer a master’s in security are invited to apply for full certification with a closing date of June 20. Educational establishments looking to offer such courses in the future can apply for a provisional stamp of approval.

GCHQ itself will send personnel on the certified courses – read more here – but hopes that they will also be of benefit to other players in both the public and private sectors.

As of now, GCHQ has already certified two cyber security training centres – Royal Holloway and the University of Oxford – with students at both currently in their first year of study.

Whatever you may think of GCHQ et al. in the wake of all those spying claims, it is refreshing to see all of the educational opportunities arising for people of all levels isn’t it?

Big Brother Goes Dutch

If you thought the proliferation of CCTV surveillance in many countries was bad then you may be shocked to hear that the Dutch parliament has overwhelmingly voted in favour of the use of drone surveillance.

The new law, proposed by Ivo Opstelten, Minister of Security and Justice, and Ronald Platerk, Minister of the Interior and Kingdom Relations, won approval from almost all of the country’s large number of political parties.

Its adoption will mean that Dutch municipalities will be allowed to monitor their citizens via mobile cameras, including those deployed on drones.

City mayors will now be able to choose which type of camera surveillance should be used in times of civil disturbances that are not confined to static areas, picking between fixed devices and ones that are either attached to vehicles or airborne.

A clarification document sings the praises of surveillance technology, extolling the virtues of crime reduction and increased public safety, whilst highlighting that the use of drones will not lead to a reduction in CCTV that is already in place.

The problem with such an approach, of course, is the impact that such a move could have on the privacy of Dutch citizens.

Whilst the drones are only authorised for use in situations where there is a threat to public safety (which is already a rather broad term don’t you think?), there is no clarification on how large a geographical area the surveillance can take place in which I think at least raises the possibility of some nefarious future official going beyond their remit in terms of ‘spying’ on the populace.

Furthermore, there are no guarantees available that Dutch lawmakers will not go further in the future and there are fears that the drones could one day be easily equipped with facial recognition technology.  Opstelten himself told the D66 party that he was unable to forsee what future uses the drones may be put to and could not rule out facial recognition in the future. Tellingly, he also said that the possibility of future privacy violations was no reason not to proceed.

Given my eternal cynicism where government surveillance is considered, in conjunction with what we now know about the NSA spying on US citizens, I wonder if the Netherlands will merely serve as a testing ground for widespread drone usage in the future?

Given the recent revelations from Edward Snowden about government spying on telephone and computer actions, do you also worry that our childrens’ world will be one in which personal privacy is considered to be an antiquated ideal?

Passwords – 10 Tips

If you use a computer, tablet, smartphone (or even a fridge it seems these days!) and want to keep your data safe.. use a password.

If you surf the web and want to keep your identity secure.. use a password.

If you want that password to be effective.. you better make sure its a good one.

Passwords are used every day for a variety of reasons and a strong, extremely difficult to guess one is vital in protecting you from identity thieves, scam artists, potential data breachers and all manner of other bad guys.

So just how do you come up with an effective password?

Here are 10 very basic tips to help you do just that -

  1. Make your passwords from a combination of letters, numbers and symbols but be sensible about it though – don’t think for a minute that that will allow you to create safe passwords. Just because you can swap the letter ‘a’ with an ‘@’ symbol don’t be thinking that a password cracker won’t think of doing the exact same thing. Words such as ‘s3x’ and ‘dr@gon’ are only very slightly more secure than the regular spelling of the same words.
  2. Change your password every 3 months or so.
  3. Use a different password for every account, app or program that you use – if you don’t, and someone guesses or cracks your password, then all your accounts are immediately at risk.
  4. Always use a combination of at least 8 characters (and I would say thats an absolute minimum – lengthier passwords are highly desirable).
  5. Mix upper and lower case letters and don’t necessarily just use caps for the first letter either as that is a fairly predictable tactic.
  6. Use a phrase with no spaces (don’t use proper spelling, i.e. ‘dictionary words’ though) but mix it up with numbers and/or symbols – words are very easy for a password cracker to guess. End of. Making a password out of more than one word doesn’t add very much at all to the difficulty of cracking it. Passwords such as ‘letmein’ are remarkably easy to guess. You need to be much cleverer than that!
  7. Never use personal information – if someone has specifically targeted you then they will already know a great deal about you. If not, and they are determined enough, then they could probably find out a lot more about you than you realise by searching on the internet. Therefore, any words, numbers or phrases that can be connected to you are bad choices. For example, your name, date of birth, mother’s maiden name, etc are all bad password choices.
  8. Never use common single words (for example, cat, blue, etc) – the length of a password doesn’t usually have much bearing on how long it would take a hacker to break it. If you are using proper words, of any language, then a dictionary attack will always succeed sooner or later. Password crackers are, generally speaking, looking to get results in the shortest possible time frame. If your password is easily guessed with a dictionary attack then you will be a quick and easy victim. To avoid such password guessing tools you want to avoid words, especially the most commonly used ones, such as sex, dragon, love, god, pass and password.
  9. Never, ever share your passwords with anyone. Period.
  10. Use a password manager – they become invaluable as your list of login credentials grows.

Can you think of any other tips for creating an effective password?

Trustmark Pulls out Of Class-Action Suit Against Target And Trustwave

Last week I wrote about how two banks - Trustmark National Bank of New York and Green Bank of Houston – had come together to file a class action lawsuit against Target, Inc. in the wake of a data breach at the US retailer which saw 40 million credit cards details, and 70 million other personal details, stolen.

Now, however, one of the two banks suing both Target and security vendor Trustwave has pulled out.

Trustmark National Bank filed a notice of dismissal of its claims on Friday. No detail is given as to why the bank has now ceased its action with the notice saying little more than:

“Pursuant to Federal Rule of Civil Procedure 41(a)(1)(A)(i), Trustmark hereby voluntarily dismiss its claims without prejudice to re-filing.”

However, based on a letter from Trustwave to its customers, the real reason why Trustmark ceased its legal action may be due to the former being misnamed in the suit.

After initially declining to identify its customers, or comment on outstanding litigation, Robert J. McCullen, Chairman, CEO and President of Trustwave Holdings, Inc., wrote:

“Dear Customers and Business Partners,

As some of you may know, Trustwave was recently named as a defendant in lawsuits relating to the data security breach that affected Target stores in late 2013.

In response to these legal filings, Trustwave would like to reassure our customers and business partners that these claims against Trustwave are without merit, and that we look forward to vigorously defending ourselves in court against these baseless allegations.

Contrary to the misstated allegations in the plaintiffs’ complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target’s network, nor did Trustwave process cardholder data for Target.”

Even if Green Bank of Houston should dismiss its claims, and there is no indication at this time that it will, the implications of the case still remain highly pertinent.

The banks’ original claim alleged that Trustwave had failed to ensure that Target’s systems were in line with industry standards, having informed the retailer that there were no vulnerabilities on its network shortly before the breach occurred.

Should such a claim be brought before a court in the future, and the judge and/or jury find in favour of the plaintiffs, then the consequences will be far-reaching, with breach victims and their security partners both being at risk of litigation and the subsequent costs associated with the losses incurred by affected financial institutions.

And of course lets not forget the other impacts of a data breach which are numerous, including loss of revenue through a variety of avenues as well as the potential damage to the trust in, and reputation of, the affected company/companies.

Perhaps the breach at Target, as well as other high profile breaches over the last year, will be sufficient to encourage businesses of all sizes to assess their security standing in order to ensure the risks are well managed and as small as possible?

We can but hope…

Google To Security Experts – Can You Help Us Teach Online Safety?

Search giant Google is looking for IT security experts to help make the internet safer for everyone.

The company recently posted a “Security Advice Survey” online, asking security professionals to submit their best tips and tricks for staying safe on the web.

Rob Reeder of Google’s User Experience Research Team, wrote on the company’s online security blog:

“At Google, we’re constantly trying to improve security for our users. Besides the many technical security features we build, our efforts include educating users with advice about what they can do to stay safe online. Our Safety Center is a great example of this. But we’re always trying to do better and have been looking for ways to improve how we provide security advice to users.

That’s why we’ve started a research project to try to pare down existing security advice to a small set of things we can realistically expect our users to do to stay safe online. As part of this project, we are currently running a survey of security experts to see what advice they think is most important.

If you work in security, we’d really appreciate your input. Please take our survey here: goo.gl/F4fJ59.

With your input we can draw on our collective expertise to get closer to an optimal set of advice that users can realistically follow, and thus, be safer online. Thanks!”

The survey itself asks a variety of questions, including “What are the top 3 pieces of advice you would give to a non-tech-savvy user to protect their security online?” and “What are the 3 most important things you do to protect your security online?”

The questionnaire then goes on to enquire about your hardware, such as when your computer was bought, and also about your use of security software and the installation of operating system patches.

Other questions are based around the use of passwords, how those credentials are stored and remembered and whether a dedicated password manager is used.

The survey also asks whether experts make use of two-factor authentication for any of their online accounts they use as well as whether or not web addresses are confirmed as being genuine and awareness of HTTPS.

If you have 5 minutes spare and some experience in the field then please take a look at the survey and share your expertise – it will help Google and, hopefully, that will translate into a better and safer experience for other web users in the future.

Banks Sue Target And Trustwave As Data Breach Fallout Continues

Banks impacted by the data breach of Target last year have come together to file a class-action lawsuit against the US retailer. A court filing also names security firm Trustwave as a co-defendant, saying that the firm “failed to live up to its promises or to meet industry standards.”

The breach, which resulted in the theft of at least 40 million customers’ credit card details, as well as 70 million other personal records, arose after an attack at HVAC contractor Fazio Mechanical Services Inc provided a bridge into Target’s own systems.

The plaintiffs in the case – Trustmark National Bank of New York and Green Bank of Houston – claim that the retailer and security company failed to prevent the theft of data.

The lawsuit, which is not the first filed against Target, shows the increasing pressures and potential costs that are increasingly being associated with breaches, which themselves are on the rise.

For their part, the banks are concerned with the costs that they have borne in this case – it is estimated that the cost of issuing new cards to customers that have potentially been affected stands at around $172 million. The plaintiffs also cite future costs, including absorption of fraudulent charges made on stolen cards, lost profits, missed business opportunities and damage to the business as a whole, the total of which could possibly rise to as much as $1 billion.

Trustmark and Green bank have included Trustwave in their lawsuit because they believe that vulnerabilities in Target’s systems remained “either undetected or ignored” in various audits up to September of last year.

Furthermore, the banks claim that the retailer stored “credit and debit card data on its servers for six full days before hackers transmitted the data to a separate webserver outside of Target’s network.” The lawsuit also claims that the breach remained undetected for a period of three weeks, even though Trustwave “provided round-the-clock monitoring services to Target.”

Additional claims levied against Target include the suggestion that the firm was not in compliance with PCI-DSS at the time of the breach, despite the fact that Trustwave claims to provide guidance to millions of businesses on reaching the standard. Also, the filing claims that POS terminals in-store were not protected by any form of antivirus software. Trustmark National Bank and Green Bank also say that the retailer should not have allowed a third party contractor to have access to its network.

Lawsuit aside, the effects on Target don’t make pretty reading either. The company recently announced a fourth quarter fall in profits of 46%. The direct costs of the breach to the company already stand at $61 million with only $44 million of that being covered by cyber insurance. Further significant losses are also to be expected as further costs from fraud become quantifiable and attributed to the business.

All in all then I think it is quite obvious that a data breach is bad news for any business on many different levels, ranging from the obvious financial aspects to potential legal action and, even more importantly, possible damage to reputation.

Whilst its obvious that not every business will be attacked in this way, UK businesses do still have cause for concern.

So have you done everything you can to minimise the chances of your business being breached? Have you trained your staff to look for evidence of attack and to respond accordingly? Is your company looking at its risk management framework and the various standards such as PCI-DSS and ISO 27001? Has your organisation been proactive in preparing an incident response plan should the worst happen?