Q&A with Rich Agostino, CISO
October is Cybersecurity Awareness Month, recognized annually in the United States since 2004 as an opportunity to educate people about steps they can take to enhance the security of their digital worlds. At Target, activities occurring throughout the month of October are centered on the idea that our team members are often the first line of defense against cyber criminals. This year, our cybersecurity team developed a “Camp Cyber” theme for the creative programs and fun activities aimed at educating our team on the latest threats. Team members took part in challenges that tested their skills on spotting suspicious emails and could win prizes for taking the steps needed to protect the company from top information security risks.
As we look back on the month, we had the opportunity to sit down with our chief information security officer, Rich Agostino, and hear from him directly on current trends and threats facing both companies and consumers, and how Target is leading the industry in this space:
How would you characterize the current “state of the state” of cybersecurity?
Over the last decade we have seen many organizations start to recognize the reality of the threats we face today, from large consumer data breaches to ransomware attacks that cripple operations. That has led to a significant increase in investment in cyber capabilities across all industries. But with cybercriminals continuously shifting their tactics, companies and individuals need to continue to focus on learning what to do to protect themselves.
What’s new or different in this space over the last few years or so? The pandemic changed so much across our society – were there any tangible impacts to cybersecurity or have different types of threats emerged since 2020? Based on these changes, how has the team evolved?
When the pandemic hit, personal lives and businesses were disrupted, but many don’t realize that the business of cybercrime was disrupted as well. We saw significant behavior shifts as cybercriminals searched for new revenue streams, which led to a marked increase in ransomware and organized retail crime. While we saw these trends increasing before the pandemic, there was a massive acceleration that led us to have to think differently about our defenses.
Today, if you think about the threats that companies are facing, ransomware is first and foremost the biggest threat across all industries. Over the past few years, there has been a lot of media coverage on ransomware as attacks have impacted thousands of private and public organizations.
However, there is less of a broad understanding about how organized retail crime is changing in the retail sector. The lines between physical and digital shopping are increasingly blurred as services like drive-up, same day delivery, and mobile wallets offer guests an outstanding experience, but also provide more opportunities for scammers. Just as we saw cybercriminals come together, organize, and sell tools and services to each other, we are now seeing that behavior happening on the fraud side when it comes to things like fraudulent returns, gift card extortion, and loyalty abuse.
One of the biggest things we are doing differently began in late 2020 when we became the first of our major retail competitors to formally combine our online fraud and cybersecurity teams under one organization. By merging those teams, we could take advantage of capabilities around cyber threat intelligence and custom engineering. For example, just as our threat intel team had been tracking the latest ransomware threats for years, we now apply that capability to proactively identify criminal fraud services being bought and sold online. Similarly, our cyber team has built innovative custom tech for our Cyber Fusion Center over the years, contributing to dozens of patents and patent applications. We can now apply that same engineering skillset to identify fraud and protect Target’s guests better.
We’ve heard you say that security is a team sport – what does that mean overall for the industry and specifically for your team at Target?
“Security is a team sport” is now something a lot of cyber teams say, but at Target it’s not just something we say -- we live it every day. Back in 2014, we became a founding member of the Retail and Hospitality Information Sharing Analysis Center (RH-ISAC), the primary place where retail, hospitality, consumer packaged goods (CPG), airlines, and most consumer-facing businesses (over 200 now) are sharing information. Today, we continue to lead by example by investing heavily in working with companies across all industries, with law enforcement, and intelligence-sharing organizations.
Some people are surprised to learn how much we collaborate with even our biggest competitors to share information and work together to combat cyber crime. This idea comes from the fact that cybercriminals have been working together for years, and so the belief is that the only way we can combat that threat and that level of organization is for us to work together.
October is Cyber Security Awareness Month. What does Target do to educate its team members about cybersecurity and are there ways for team members from other areas to get involved in these efforts?
We know that even with a great security team and mature capabilities, it only takes one person to click a link in a phishing email to potentially start the next big breach. So, we invest in building a culture where everyone is accountable, educated, and empowered to recognize and report threats.
We educate the company through things like our fake phishing campaigns, and training programs. But we also strive to make learning a lot of fun as well, and you see this really come to life every year during our Cybersecurity Awareness Month. Each year we base the monthly activities around a fun theme like this year’s “Camp Cyber.” Participants learn through gamified training in different ways like a security-themed team escape room and daily challenges with opportunities for individuals to win prizes.
You probably receive frequent questions from friends and family about how they can be more secure in their day-to-day lives. What do you tell them? How does that translate into programs for Target guests and how do you share these types of messages with them?
First, it’s most important to understand that these threats are real, so you develop a healthy level of skepticism when something just doesn’t seem right. These criminal organizations I’ve mentioned are creative, and very persistent, often running operations 24/7 to scam consumers.
One example we see is a scam we call “Gift Card Extortion.” You may have gotten one of these calls yourself. They sound something like this: “hi this is the IRS, your taxes are delinquent and there is a warrant out for your arrest. The only fast way for you to resolve this issue is to go buy $2,000 in retail gift cards and read us the numbers.” Now that might sound ridiculous reading it in this blog, but remember these criminals are experts at social engineering, and when victims feel pressured and feel that their freedom or financial security is at risk, it’s easy to make the wrong decision.
Examples like this are why we are expanding our investment to consumer awareness and education programs that seek to help people understand the latest fraud schemes and support victims of these crimes.
We hope those investments in consumer awareness will help the average person better understand that you don’t need to be a cyber expert to protect yourself from scams. There are a lot of easy steps you can take.
I’ll reiterate again: approach communications you don’t recognize with a degree of skepticism. We talked a lot about phishing and not clicking links in email, but the same goes for that odd text message you just received (we call that smishing), or that phone call you just got about a package where the delivery team just needs to “verify your credit card number” (we call that vishing).
One thing I always say is don’t use the same password on every website account you open. We know that if one of those passwords is compromised, the criminals just go from website to website and try to check if you are using that password somewhere else. There are literally billions of consumer credentials available to hackers from the many breaches over the years, so chances are if you have a “favorite password” the criminals also have that one.
If a site offers multi-factor authentication (MFA), make sure you enable it. MFA is that thing you have probably seen where you log in but then also get a text message or email with a one-time passcode to verify it’s you. This adds an extra layer or protection because even if the criminal has your password, they have to also gain access to something else (e.g., your smartphone, or email) to get past the second step. Target.com offers MFA as an option, so I’d encourage everyone to go enable it!
Interested in a career on a best-in-class cybersecurity team? Check out the open roles on Target’s cybersecurity team and join us!