"The money they saved by not upgrading is coming back to them," he said. "It's a real eye-opener. The damages are real. It's really crucial to upgrade systems."
For its part, DHS isn't saying anything beyond the statements it's already published. When asked about details of the malware attack, a DHS spokesman said, "No comment."
While further comment would be a big help to the business community in the United States, at least the agency did provide a great deal of useful information beyond just details of the malware itself. Those recommendations included practices such as using two-factor authentication to access POS systems, running security software on those systems and paying attention to the results of security scans.
Many of the recommendations made by DHS are in reality basic security practices that are all too often ignored. One such recommendation is to, in the words of DHS, "configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts."
"This prevents unlimited unauthorized attempts to log in whether from an unauthorized user or via automated attack types like brute force." This is Security 101. Why this isn't implemented in every access point is a mystery.
Another no-brainer is to limit who can log in to the POS system remotely. It's good that DHS is reminding readers of this, but it shouldn't be necessary. Likewise, the recommendation to use firewalls should be obvious. Sadly, far too many merchants never got the memo about basic security.
That memo exists and merchants or anyone else can read about payments and security at the Website of the PCI Security Standards Council. There's even a compliance guide that merchants can use so that they can make sure they're protecting credit card data responsibly.
In addition, merchants that accept credit cards are required to safeguard customer data using those compliance standards as a condition to being allowed to accept credit cards in the first place. Violate those standards and your company could find itself unable to accept cards at all.
Unfortunately, the Payment Card Industry doesn't appear to do a lot to enforce its compliance standards, since it has only banned merchants from accepting credit card payments in a handful of cases.
Because of this, the most significant downside that a company suffers in the wake of a breach may be the subsequent negative publicity and loss of business. This turned out to be a significant cost for Target—a much higher cost than it would have been to have updated its machines.