Decision Maker

Lesson from the Target Breach: IT Must Implement Two-Factor Authentication

Last year's Target incident should be a wake-up call for IT to fundamentally change how they handle passwords.

• By Don Jones
• 04/29/2014

Now that the dust has settled on the Target credit card breach -- along with data theft at other retailers -- I hope you're taking a hard look at your organization and asking, "Are we stupid or lazy?" Frankly, with the high-profile Target case top of mind and security experts predicting more breaches are inevitable, "ignorance" isn't really an acceptable excuse for IT decision makers anymore.

It's time to scrap the way IT allows passwords for authentication. It's no secret security experts for decades have been moaning about how terribly passwords are used. Two-factor authentication, which greatly reduces the chances of a breach, is still practically a trite phrase even though it's been available for quite some time. Yet very few companies bother implementing two-factor authentication, or for that matter anything stronger than a password even though it's easier than ever. Even Microsoft, which has offered multifactor authentication in its Microsoft Azure cloud service, in February extended that to Office 365 and plans to offer it in the desktop version later this year.

Target should wish they had used two-factor authentication. The root cause of Target's breach was a password, stolen from an HVAC contractor who had access to some store networks. I'm sure that password was at least eight characters long and consisted of letters, numbers and symbols. That didn't matter a bit, because it was stolen. The cost of that theft is likely going to be in the millions of dollars after the retailer covers losses, pays fines, makes fixes and so on.

An RSA token would have cost about $25. A software security token is a mere $2. And every organization -- including yours -- should absolutely be using these for all network access, including logging in from within the office. Using security tokens -- or smart cards, or some other physical factor -- can put a complete stop to the unauthorized access that resulted in the Target breach.

"But we've never been hit!" is the almost invariable counter-argument -- and it's one I'm sure the IT folks at Target heard a few times. But that's the point -- until you are hit, you haven't been hit, but once you're hit, you're screwed. You don't buy homeowner's insurance because your house did burn down, you purchase it in case the house burns down, and you hope to heck you never need to use it. But you spend the money because the insurance is cheaper than the loss should a loss actually occur.

Two-factor authentication is pure IT insurance, plain and simple. It's a lower cost now, to help prevent a high-cost loss later. And it doesn't take much to result in a high-cost loss. I mean, for pity's sake, an HVAC contractor's password was stolen. That's not even a blip on the IT radar for most organizations it's such a minor event. But look at what it enabled. It led to millions of dollars in fraudulent charges plus an untold cost in revenues. Tens of thousands of customers were furious when they had to replace debit/credit cards. Yet these are losses that could have been prevented with a minimal investment in security infrastructure.

I don't care if you're a small mom-and-pop, $1-million-a-year business -- someone will find a reason to attack you, whether for financial gain or just to prove they can. They might not want whatever you sell, and they might not want your intellectual property -- they might just want access to collect credit card numbers, e-mail addresses and phone numbers. All of this data is valuable in the hands of criminals and your business is a potential source.

At this point, there's absolutely no excuse for not having better authentication on your network, both for in-office and remote users. In fact, the next big company that gets hit this way -- and there will be one, I assure you -- should fire its executives for malfeasance. The facts are on the table. The outcomes are clear. The costs are low. If you get hit by busted authentication at this point, you must have done so out of deliberate spite. There's no other excuse.