My favorite analogy in security is the one which describes each internet defense as a slice of swiss cheese: they all have their holes (weaknesses). The idea – if we want the best security – is to stack them all up on top of one another and hope the holes don’t line up. Because if they do – meaning, if any of the inevitable weaknesses in software or hardware align so that there is an opening for strangers to enter – that represents the tunnel through which cybercriminals crawl into our home computer or business network. 
What the average citizen may not realize is that in some ways he or she is no different than Target. Cybercriminals are coming after all of us. And based on the infection rates of personal computers and mobile devices, a large number of Target’s potential victims have been personally compromised at home already. So what are customers in such a huff about?
I don’t mean to imply that companies like Target who process our data are blameless. We certainly have a right to expect them to do their best to protect our data. But all indications show that Target was as vigilant as a company of their size can be expected to be. And what really matters is: did they respond quickly? Are they trying to fix things? Do they seem sincere? Have they demonstrated “good faith”? I have been watching the news of this breach since it first broke and I believe the answer is yes. Go to their website and check out their Q&A. You’ll also find an interview with Target CEO Gregg Steinhafel. I found him credible. Do you?
A recent study showed that retailers are under constant attack, and can expect at least twice as many attacks as other companies. So maybe we should give Target credit for the fact that they fended off the bad guys this long. Cybercriminals are so well-funded that they’re able to hire the best hackers and strategists in the world. Is it really a surprise that the FBI admitted a few weeks ago that they expect these kinds of attacks to accelerate regardless of the government’s best efforts? And if the United States didn’t still use archaic credit card technology (magnetic stripe vs EMV) US Ttargets wouldn’t be nearly as interesting to cybercriminals. But there’s nothing Target can do to move to EMV on its own, that requires an industry-wide shift. 
Cybercriminals are like the Wolf in Three Little Pigs story. The Wolf was relentless, and he followed the three pigs wherever they went. Twice they built new houses and he huffed and puffed and blew them both down. But the third one foiled him; it was built of brick. If only those of us in the security industry could actually build an impenetrably secure house of brick! But we can’t, and we know that. This is what makes us so forgiving.
If the Wolf had never fallen down the chimney, the story would have ended differently. A real wolf would chew and push and poke at every nook and cranny until he eventually got in. Cybercriminals never give up either. In the security universe we’re only half joking when we say, “there are only two kinds of companies – those who know they’ve been breached and those who don’t”. We believe virtually every company has been breached, at some point in time – or soon will be.
My last thought for the angry customer is this: since there’s no liability for bogus charges (as long as we spot them) we may as well calm down and focus our attention on the things we should have been doing anyway:
- review all our credit cards and debit accounts monthly
- sign up for credit monitoring (this alerts us in case someone tries to get a new credit card (or car!) in our name)
and if we want to reduce opportunities for this kind of thing:
- use cash when we can
The sooner we adjust to these changes the better. Because it is an unfortunate inevitability that more breaches are coming.
Best,
cj