{"id":268,"date":"2018-06-14T19:04:55","date_gmt":"2018-06-14T19:04:55","guid":{"rendered":"https:\/\/pressbooks.ccconline.org\/bus3060\/chapter\/ch013\/"},"modified":"2026-02-14T16:57:07","modified_gmt":"2026-02-14T16:57:07","slug":"ch013","status":"publish","type":"chapter","link":"https:\/\/pressbooks.ccconline.org\/bus3060\/chapter\/ch013\/","title":{"raw":"13.1 Introduction","rendered":"13.1 Introduction"},"content":{"raw":"<div id=\"slug-13-1-introduction-2\" class=\"chapter standard\">\r\n<div class=\"chapter-title-wrap\">\r\n<div class=\"textbox textbox--learning-objectives\"><header class=\"textbox__header\">\r\n<p class=\"textbox__title\"><strong>Learning Objectives<\/strong><\/p>\r\n\r\n<\/header>\r\n<div class=\"textbox__content\">\r\n\r\nAfter studying this section you should be able to do the following:\r\n<ol>\r\n \t<li>Recognize that information security breaches are on the rise.<\/li>\r\n \t<li>Understand the potentially damaging impact of security breaches.<\/li>\r\n \t<li>Recognize that information security must be made a top organizational priority.<\/li>\r\n<\/ol>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<div class=\"ugc chapter-ugc\">\r\n<p id=\"fwk-38086-ch13_s01_p02\" class=\"nonindent para editable block\">Sitting in the parking lot of a Minneapolis Marshalls, a hacker armed with a laptop and a telescope-shaped antenna infiltrated the store\u2019s network via an insecure Wi-Fi base station<sup>1<\/sup>. The attack launched what would become a billion-dollar-plus nightmare scenario for TJX, the parent of retail chains that include Marshalls, Home Goods, and T. J. Maxx. Over a period of several months, the hacker and his gang stole at least 45.7 million credit and debit card numbers and pilfered driver\u2019s licenses and other private information from an additional 450,000 customers (King, 2009).<\/p>\r\n<p id=\"fwk-38086-ch13_s01_p03\" class=\"indent para editable block\">TJX, at the time a $17.5 billion <em class=\"emphasis\">Fortune<\/em> 500 firm, was left reeling from the incident. The attack deeply damaged the firm\u2019s reputation. It burdened customers and banking partners with the time and cost of reissuing credit cards. And TJX suffered under settlement costs, payouts from court-imposed restitution, legal fees, and more. The firm estimated that it spent more than $150 million to correct security problems and settle with consumers affected by the breach, and that was just the tip of the iceberg. Estimates peg TJX\u2019s overall losses from this incident at between $1.35 billion and $4.5 billion (Matwyshyn, 2009).<\/p>\r\n<p id=\"fwk-38086-ch13_s01_p04\" class=\"indent para editable block\">A number of factors led to and amplified the severity of the TJX breach. There was a personnel betrayal: the mastermind was an alleged FBI informant who previously helped bring down a massive credit card theft scheme but then double-crossed the Feds and used insider information to help his gang outsmart the law and carry out subsequent hacks (Goldman, 2009). There was a technology lapse: TJX made itself an easy mark by using WEP, a wireless security technology less secure than the stuff many consumers use in their homes\u2014one known for years to be trivially compromised by the kind of \u201cdrive-by\u201d hacking initiated by the perpetrators. And there was a procedural gaffe: retailers were in the process of rolling out a security rubric known as the Payment Card Industry Data Security Standard. Despite an industry deadline, however, TJX had requested and received an extension, delaying the rollout of mechanisms that might have discovered and plugged the hole before the hackers got in (Anthes, 2008).<\/p>\r\n<p id=\"fwk-38086-ch13_s01_p05\" class=\"indent para editable block\">The massive impact of the TJX breach should make it clear that security must be a top organizational priority. Attacks are on the rise. In 2008, more electronic records were breached than in the previous four years <em class=\"emphasis\">combined<\/em> (King, 2009). While the examples and scenarios presented here are shocking, the good news is that the vast majority of security breaches can be prevented. Let\u2019s be clear from the start: no text can provide an approach that will guarantee that you\u2019ll be 100 percent secure. And that\u2019s not the goal of this chapter. The issues raised in this brief introduction can, however, help make you aware of vulnerabilities; improve your critical thinking regarding current and future security issues; and help you consider whether a firm has technologies, training, policies, and procedures in place to assess risks, lessen the likelihood of damage, and respond in the event of a breach. A constant vigilance regarding security needs to be part of your individual skill set and a key component in your organization\u2019s culture. An awareness of the threats and approaches discussed in this chapter should help reduce your chance of becoming a victim.<\/p>\r\n<p id=\"fwk-38086-ch13_s01_p06\" class=\"indent para editable block\">As we examine security issues, we\u2019ll first need to understand what\u2019s happening, who\u2019s doing it, and what their motivation is. We\u2019ll then examine how these breaches are happening with a focus on technologies and procedures. Finally, we\u2019ll sum up with what can be done to minimize the risks of being victimized and quell potential damage of a breach for both the individual and the organization.<\/p>\r\n\r\n<\/div>\r\n<div class=\"textbox textbox--key-takeaways\"><header class=\"textbox__header\">\r\n<p class=\"textbox__title\">Key Takeaways<\/p>\r\n\r\n<\/header>\r\n<div class=\"textbox__content\">\r\n<ul>\r\n \t<li>Information security is everyone\u2019s business and needs to be made a top organizational priority.<\/li>\r\n \t<li>Firms suffering a security breach can experience direct financial loss, exposed proprietary information, fines, legal payouts, court costs, damaged reputations, plummeting stock prices, and more.<\/li>\r\n \t<li>Information security isn\u2019t just a technology problem; a host of personnel and procedural factors can create and amplify a firm\u2019s vulnerability.<\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<header class=\"textbox__header\"><\/header><header>\r\n<div class=\"textbox textbox--exercises\"><header class=\"textbox__header\">\r\n<p class=\"textbox__title\"><strong>Questions to Consider<\/strong><\/p>\r\n\r\n<\/header>\r\n<div>\r\n<ul>\r\n \t<li data-pm-slice=\"1 1 []\">Research a recent security breach: impact, prevention, and managerial lessons. Check if an online company you use had a breach\u2014how does it affect your trust?<\/li>\r\n \t<li>What caused the TJX breach, who was responsible, and how should it have been handled?<\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n<\/header>\r\n<div id=\"slug-13-1-introduction-2\" class=\"chapter standard\">\r\n<div class=\"ugc chapter-ugc\">\r\n<p class=\"indent\"><sup>1<\/sup>Particular thanks goes to my Boston College colleague, Professor Sam Ransbotham, whose advice, guidance, and suggestions were invaluable in creating this chapter. Any errors or omissions are entirely my own.<\/p>\r\n\r\n<\/div>\r\n<\/div>","rendered":"<div id=\"slug-13-1-introduction-2\" class=\"chapter standard\">\n<div class=\"chapter-title-wrap\">\n<div class=\"textbox textbox--learning-objectives\">\n<header class=\"textbox__header\">\n<p class=\"textbox__title\"><strong>Learning Objectives<\/strong><\/p>\n<\/header>\n<div class=\"textbox__content\">\n<p>After studying this section you should be able to do the following:<\/p>\n<ol>\n<li>Recognize that information security breaches are on the rise.<\/li>\n<li>Understand the potentially damaging impact of security breaches.<\/li>\n<li>Recognize that information security must be made a top organizational priority.<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"ugc chapter-ugc\">\n<p id=\"fwk-38086-ch13_s01_p02\" class=\"nonindent para editable block\">Sitting in the parking lot of a Minneapolis Marshalls, a hacker armed with a laptop and a telescope-shaped antenna infiltrated the store\u2019s network via an insecure Wi-Fi base station<sup>1<\/sup>. The attack launched what would become a billion-dollar-plus nightmare scenario for TJX, the parent of retail chains that include Marshalls, Home Goods, and T. J. Maxx. Over a period of several months, the hacker and his gang stole at least 45.7 million credit and debit card numbers and pilfered driver\u2019s licenses and other private information from an additional 450,000 customers (King, 2009).<\/p>\n<p id=\"fwk-38086-ch13_s01_p03\" class=\"indent para editable block\">TJX, at the time a $17.5 billion <em class=\"emphasis\">Fortune<\/em> 500 firm, was left reeling from the incident. The attack deeply damaged the firm\u2019s reputation. It burdened customers and banking partners with the time and cost of reissuing credit cards. And TJX suffered under settlement costs, payouts from court-imposed restitution, legal fees, and more. The firm estimated that it spent more than $150 million to correct security problems and settle with consumers affected by the breach, and that was just the tip of the iceberg. Estimates peg TJX\u2019s overall losses from this incident at between $1.35 billion and $4.5 billion (Matwyshyn, 2009).<\/p>\n<p id=\"fwk-38086-ch13_s01_p04\" class=\"indent para editable block\">A number of factors led to and amplified the severity of the TJX breach. There was a personnel betrayal: the mastermind was an alleged FBI informant who previously helped bring down a massive credit card theft scheme but then double-crossed the Feds and used insider information to help his gang outsmart the law and carry out subsequent hacks (Goldman, 2009). There was a technology lapse: TJX made itself an easy mark by using WEP, a wireless security technology less secure than the stuff many consumers use in their homes\u2014one known for years to be trivially compromised by the kind of \u201cdrive-by\u201d hacking initiated by the perpetrators. And there was a procedural gaffe: retailers were in the process of rolling out a security rubric known as the Payment Card Industry Data Security Standard. Despite an industry deadline, however, TJX had requested and received an extension, delaying the rollout of mechanisms that might have discovered and plugged the hole before the hackers got in (Anthes, 2008).<\/p>\n<p id=\"fwk-38086-ch13_s01_p05\" class=\"indent para editable block\">The massive impact of the TJX breach should make it clear that security must be a top organizational priority. Attacks are on the rise. In 2008, more electronic records were breached than in the previous four years <em class=\"emphasis\">combined<\/em> (King, 2009). While the examples and scenarios presented here are shocking, the good news is that the vast majority of security breaches can be prevented. Let\u2019s be clear from the start: no text can provide an approach that will guarantee that you\u2019ll be 100 percent secure. And that\u2019s not the goal of this chapter. The issues raised in this brief introduction can, however, help make you aware of vulnerabilities; improve your critical thinking regarding current and future security issues; and help you consider whether a firm has technologies, training, policies, and procedures in place to assess risks, lessen the likelihood of damage, and respond in the event of a breach. A constant vigilance regarding security needs to be part of your individual skill set and a key component in your organization\u2019s culture. An awareness of the threats and approaches discussed in this chapter should help reduce your chance of becoming a victim.<\/p>\n<p id=\"fwk-38086-ch13_s01_p06\" class=\"indent para editable block\">As we examine security issues, we\u2019ll first need to understand what\u2019s happening, who\u2019s doing it, and what their motivation is. We\u2019ll then examine how these breaches are happening with a focus on technologies and procedures. Finally, we\u2019ll sum up with what can be done to minimize the risks of being victimized and quell potential damage of a breach for both the individual and the organization.<\/p>\n<\/div>\n<div class=\"textbox textbox--key-takeaways\">\n<header class=\"textbox__header\">\n<p class=\"textbox__title\">Key Takeaways<\/p>\n<\/header>\n<div class=\"textbox__content\">\n<ul>\n<li>Information security is everyone\u2019s business and needs to be made a top organizational priority.<\/li>\n<li>Firms suffering a security breach can experience direct financial loss, exposed proprietary information, fines, legal payouts, court costs, damaged reputations, plummeting stock prices, and more.<\/li>\n<li>Information security isn\u2019t just a technology problem; a host of personnel and procedural factors can create and amplify a firm\u2019s vulnerability.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<header class=\"textbox__header\"><\/header>\n<header>\n<div class=\"textbox textbox--exercises\"><\/div>\n<\/header>\n<header class=\"textbox__header\">\n<p class=\"textbox__title\"><strong>Questions to Consider<\/strong><\/p>\n<\/header>\n<div>\n<ul>\n<li data-pm-slice=\"1 1 []\">Research a recent security breach: impact, prevention, and managerial lessons. Check if an online company you use had a breach\u2014how does it affect your trust?<\/li>\n<li>What caused the TJX breach, who was responsible, and how should it have been handled?<\/li>\n<\/ul>\n<\/div>\n<div class=\"chapter standard\">\n<div class=\"ugc chapter-ugc\">\n<p class=\"indent\"><sup>1<\/sup>Particular thanks goes to my Boston College colleague, Professor Sam Ransbotham, whose advice, guidance, and suggestions were invaluable in creating this chapter. Any errors or omissions are entirely my own.<\/p>\n<\/div>\n<\/div>\n","protected":false},"author":217,"menu_order":1,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[49],"contributor":[],"license":[],"class_list":["post-268","chapter","type-chapter","status-publish","hentry","chapter-type-numberless"],"part":267,"_links":{"self":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters\/268","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/users\/217"}],"version-history":[{"count":6,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters\/268\/revisions"}],"predecessor-version":[{"id":622,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters\/268\/revisions\/622"}],"part":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/parts\/267"}],"metadata":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters\/268\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/media?parent=268"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapter-type?post=268"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/contributor?post=268"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/license?post=268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}