GO
Loading...

Lessons from Target's data breach fumble

As the risk of data breaches are on the rise, so are the number of attacks and financial impact on American businesses.

For executives at companies experiencing data breaches, the consequences can be even more dire. It can cost managers their jobs.

Five months after Target's holiday data breach, the retailer's former chairman and chief executive Gregg Steinhafel stepped down from his more than $23 million-a-year position. While Steinhafel also faced criticism for Target's Canadian expansion, the massive breach—which included leaked credit and debit card information for millions of customers—likely played a role, according to analysts.

"Gregg [Steinhafel] led the response to Target's 2013 data breach. He held himself personally accountable and pledged that Target would emerge a better company," the company said in a May 5 statement.

Craig Carpenter, a chief strategist at cybersecurity company AccessData, said the information security community believes the resignation will "help raise information security to a C-level [corporate] issue."

A Target customer prepares to sign a credit card slip.
Getty Images
A Target customer prepares to sign a credit card slip.

Business managers are paying closer attention to information security because the costs of data leaks only are expanding.

Since last year, data breaches on average have risen 15 percent to $3.5 million, according to a new study by IBM and the Ponemon Institute, a researcher on data protection and information security.

The costly damage to a business includes expenses related to seeking experts' help, the actual company investigation and any loss of customers. Part of the 15 percent increase can be attributed to more customer records being stolen.

Read MoreMaking summer concert plans? Don't get scammed

Here's what corporate executives and business managers need to learn about data breaches.

Cybersecurity is everyone's issue.

After data breaches, the person who usually takes blame is the chief information security officer or the chief information officer, Carpenter said. In the case of Target, the chief information officer resigned in March before the chief executive's departure.

The acknowledgement that all senior managers are responsible for data security is part of the challenge.

A study by cybersecurity firm Stroz Friedberg found that just 45 percent of senior management acknowledged they are responsible for protecting against cyberattacks.

Shawn Henry—cybersecurity expert and a former executive assistant director of the FBI—said companies need to acknowledge every employee is responsible for cybersecurity, not just the tech guys. "Technology is a piece of the solution but it's not the sole solution," said Henry, now president of cybersecurity company CrowdStrike Services.

Read MoreRising prices aid $15B food fraud problem

Detect breaches and mitigate effects

Experts also told CNBC that companies receive so many cybersecurity threats that they need to learn to detect breaches and mitigate the effects, instead of setting the unrealistic goal of trying to block all attacks.

AccessData's Carpenter said larger companies see thousands of cybersecurity alarms every day.

Read MoreHow IRS impersonators target tax filers after April 15 deadline

Communication is key

Corporate executives also need to learn how to effectively communicate data breaches, Henry said. Letting consumers know about a breach early on can help prevent damage to a business's reputation.

Target waited to comment on their breach until after it was announced by security blogger Brian Krebs. Then, the retail giant revealed in January that even more customers were affected than originally announced.

"[Businesses] need to understand what to do when they face one of these breaches, who to communicate with, how they rally their troops, how they deal with regulators," Henry said.

Read MoreMistakes businesses are still making in cyberspace

By CNBC's Jennifer Schlesinger. Follow her on Twitter @jennyanne211

For more CNBC coverage of cybersecurity, visit HackingAmerica.cnbc.com.

Investigations Inc.: Cyber Espionage

  • When a person enters information on a website, like an email or credit card, it gets stored in that company’s data base. Those web-based forms are a simple tool for users, but they are also another way hackers can exploit a company’s system. Instead of inputting a name into the website, cyber spies can put in a specially crafted text that may cause the database to execute the code instead of simply storing it, Alperovitch said. The result is a “malicious takeover of the system,” he said.

    By attacking business computer networks, hackers are accessing company secrets and confidential strategies and creating huge losses for the overall economy.

  • China is working feverishly to counteract its slowest GDP growth in recent years, and one of the ways it’s doing so, say U.S. officials, is through the theft of American corporate secrets.

  • US businesses are enduring an unprecedented onslaught of cyber invasions from foreign governments, organized crime syndicates, and hacker collectives, all seeking to steal information and disrupt services, cybersecurity experts say.

Technology

Technology Explained