Decision Maker

Lesson from the Target Breach: IT Must Implement Two-Factor Authentication

Last year's Target incident should be a wake-up call for IT to fundamentally change how they handle passwords.

Now that the dust has settled on the Target credit card breach -- along with data theft at other retailers -- I hope you're taking a hard look at your organization and asking, "Are we stupid or lazy?" Frankly, with the high-profile Target case top of mind and security experts predicting more breaches are inevitable, "ignorance" isn't really an acceptable excuse for IT decision makers anymore.

It's time to scrap the way IT allows passwords for authentication. It's no secret security experts for decades have been moaning about how terribly passwords are used. Two-factor authentication, which greatly reduces the chances of a breach, is still practically a trite phrase even though it's been available for quite some time. Yet very few companies bother implementing two-factor authentication, or for that matter anything stronger than a password even though it's easier than ever. Even Microsoft, which has offered multifactor authentication in its Microsoft Azure cloud service, in February extended that to Office 365 and plans to offer it in the desktop version later this year.

Target should wish they had used two-factor authentication. The root cause of Target's breach was a password, stolen from an HVAC contractor who had access to some store networks. I'm sure that password was at least eight characters long and consisted of letters, numbers and symbols. That didn't matter a bit, because it was stolen. The cost of that theft is likely going to be in the millions of dollars after the retailer covers losses, pays fines, makes fixes and so on.

An RSA token would have cost about $25. A software security token is a mere $2. And every organization -- including yours -- should absolutely be using these for all network access, including logging in from within the office. Using security tokens -- or smart cards, or some other physical factor -- can put a complete stop to the unauthorized access that resulted in the Target breach.

"But we've never been hit!" is the almost invariable counter-argument -- and it's one I'm sure the IT folks at Target heard a few times. But that's the point -- until you are hit, you haven't been hit, but once you're hit, you're screwed. You don't buy homeowner's insurance because your house did burn down, you purchase it in case the house burns down, and you hope to heck you never need to use it. But you spend the money because the insurance is cheaper than the loss should a loss actually occur.

Two-factor authentication is pure IT insurance, plain and simple. It's a lower cost now, to help prevent a high-cost loss later. And it doesn't take much to result in a high-cost loss. I mean, for pity's sake, an HVAC contractor's password was stolen. That's not even a blip on the IT radar for most organizations it's such a minor event. But look at what it enabled. It led to millions of dollars in fraudulent charges plus an untold cost in revenues. Tens of thousands of customers were furious when they had to replace debit/credit cards. Yet these are losses that could have been prevented with a minimal investment in security infrastructure.

I don't care if you're a small mom-and-pop, $1-million-a-year business -- someone will find a reason to attack you, whether for financial gain or just to prove they can. They might not want whatever you sell, and they might not want your intellectual property -- they might just want access to collect credit card numbers, e-mail addresses and phone numbers. All of this data is valuable in the hands of criminals and your business is a potential source.

At this point, there's absolutely no excuse for not having better authentication on your network, both for in-office and remote users. In fact, the next big company that gets hit this way -- and there will be one, I assure you -- should fire its executives for malfeasance. The facts are on the table. The outcomes are clear. The costs are low. If you get hit by busted authentication at this point, you must have done so out of deliberate spite. There's no other excuse.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author Evangelist for video training company Pluralsight. He’s the President of, and specializes in the Microsoft business technology platform. Follow Don on Twitter at @ConcentratedDon.


  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

comments powered by Disqus