Kmart Cyber Breach: Another Failure in Risk Management

Kmart recently suffered another cyber breach (the second in the past few years) that echoes events affecting companies including Wendy’s and Target. In this case, a wholly preventable weakness in the company’s POS system let through a malware attack, affecting an undetermined number of Kmart’s 735 domestic sites. Failure to recognize and mitigate the root cause of a security breach is inadequate risk management; it leaves the company vulnerable to future failures.

In response to the breach, Sears Holdings (Kmart’s parent company) reported, “We immediately launched a thorough investigation and engaged leading third party forensic experts to review our systems and secure the affected part of our network.”

This response is just another proof point that incident prevention is more important than incident recovery for preserving your company’s reputation. In Kmart’s case, this is particularly significant, since any setbacks only compound recent struggles in performance. Kmart’s sales have dropped 72% and its stock price 88% since the first breach.

Within the same statement, Sears specified that “payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls.” Anti-virus systems, while important, are only one of many lines of defense that will help you avoid being hit with a cyber breach.

Although accountability can be publicly directed onto external sources through marketing, when it comes down to it, breaches such as these occur because of poor governance. Kmart states on their website that “It is important to note that the policies of most credit card companies state that customers have no liability for any unauthorized charges if they report them in a timely manner.”

In reality, if your card is involved in an unauthorized transaction, you may be liable after as little as two business days. 60 calendar days after receiving the account statement, customers are 100% liable. Even more frightening, there is no protection against fraud liability for debit cards; all the money in your ATM/debit card account is your liability.

Providing credit monitoring, as Kmart has done, doesn’t solve the root cause or prevent another cyber breach. It also does not make customers feel secure. Prospects and customers are more educated than ever, and the damage to companies that fail to implement proper risk management is increasing; companies that cause harm through negligence experience greatly spiked churn rates.

Fool Me Once, Shame on You. Fool Me Twice, Shame on Me.

Another point of concern is a tendency to see problems as isolated incidences, not systemic failures that will lead to other, future incidents. Again, this is Kmart’s second breach in three years. The fact that a second breach occurred is evidence that the root cause was not identified and neutralized.

Further, due to the nature of enterprise risk management negligence, the repeat rate for failures is high. Target and Chipotle – and so many others – have been in the news repeatedly for chronic, preventable failures. These failures in risk management are like whack-a-mole. Addressing a risk in one area doesn’t solve the systemic problem, and it’s likely to materialize in a different department within three years.

It may appear to a different kind of problem, like vendor fraud or supply chain negligence, but the root cause is the same: poor risk assessment processes, a lack of transparency between departments, and an inability to reveal interdependencies between resources.

Governance processes (as opposed to expensive technology solutions) should be used to ensure automated governance of your cybersecurity program. This includes:

• Identifying and monitoring vulnerabilities in your virus security system
• Regularly approving and deploying patches,
• Tracking password policy effectiveness (for all devices, applications, and services) at the user level
• Monitoring the effectiveness of routine updates to infrastructure and firmware

Each of these steps contributes to the avoidance of cyber breaches. Performing them but failing to confirm they are regularized (and effective) is not enough. An enterprise risk management approach is necessary if you are to make sure activities are performed across silos, out to both frontline users and supply chains.

Without an integrated approach to cybersecurity, you won’t be able to provide sufficient evidence that your risk management processes evolve alongside your innovations. If implemented properly, however, risk management can kill two birds with one stone:

1. It will help you detect and avoid surprises like cyber breaches before they occur.
2. It will provide assurance to your customer base and thereby reduce churn.