Target Data Breach Not A Disaster

Everybody loves a good hacking because it spells doom for the target in question.  In this case the target in question is Target.  We’re going to delve into the financials and see that once again a hacking is no big deal.

First we will compare Target (NYSE:TGT) (green line) to the SPDR Retail Sector ETF (NYSE:XRT) (blue line) so we can see the huge divergence between the retail sector as a whole and how poorly TGT has done since the hack.  The first thing we notice is that TGT has under performed the bucket of other stocks that make up the retail sector.  When picking single stocks vs. a broad ETF that is bound to happen.  Next we notice that the ups and downs are about the same.  This tells us that there’s no major comparative difference to the stock price during the time period when the breach was announced in September.

2014-03-26-XRT-TGT-COMPARISON-PROPHET

Next we’ll take a look at TGT during the December shopping season.  Everyone in the infosec community jumped on the bandwagon that their sales were off because of the breach.  Just look at that drop!  It was obviously caused by the hackers, right?

2014-03-26-TGT-TOS_CHARTS

Wal-Mart (NYSE:WMT) must have the same problem if we look at December – January.

2014-03-26-WMT-TOS_CHARTS

When we dig into XRT for the same time period we see an almost identical wave pattern.   What this suggests is that everybody in retail had a rough winter, not just TGT.

2014-03-26-XRT-TOS_CHARTS

The weather is why the entire retail sector is down.  Well, every sector is down because of the weather.  That’s the trendy thing that CEOs are blaming the bad Q4 and Q1 results on.  Unless the hackers have a bot net that can control the weather we can attribute TGT and everyone else’s ills to the Polar Vortex.

The other thing that we need to consider that huge gap up when TGT announced earnings.  That’s a 7% move in a single day.  They posted 81 cents per share profit vs. 79 cents consensus.  Revenue came in at $21.5B vs. consensus of $21.45B.  In other words, Wall St. already accounted for the potential downside and priced it in.    The impact was rather minor considering that they had incurred $61M in expenses but were covered by a $44M insurance policy for a net loss due to the breach of $17M.  So far the impact is minor.  We can tell this since the IV% in TGT is currently 25% while the IV% of XRT is 51%.  There is a lot more concern over downside in the retail sector as a whole than there is in TGT.

Will consumer behavior change as a result of incidents like this?  Unlikely.  TGT made a brilliant move by having the We’re Sorry Save 10% This Saturday Sale the week of the breach.  Many savvy consumers went shopping, your Dearest Leader included.  Who can say no to a 10% off sale?  Everyone I know walked away with a deal and no stolen numbers.  Taking a gamble to get a deal is what you have to do.  You have to buy in before they do.  You have to buy the dip.

The thing security professionals and the writers at all the trade publications need to understand about consumer behavior is a sale is something that everyone in a bad economy will chase after.  Most people have more than one credit card.  They can always use a different card until a replacement arrives if the numbers are compromised. Consumers are not legally responsible for the bill if fraud does occur.  That makes it the bank’s problem, and most people don’t care about the banks since that mess some of them caused with the housing market.   What exactly is the tragedy that all of the industry publications are writing about?  Either way the breach is the least of the bank’s worries, especially if your name is Citi.

Once again we have another data breach that causes a company to beat EPS, while life for everyone goes on.  There is some economic impact, but it’s spread among insurance companies, card processors, issuing banks and retailers.  The risk is shared among the sellers and the buyers have no risk at all.  Everyone on Wall St. knows that these kind of incidents are nothing compared to disasters such as the Polar Vortex or a large oil spill in the Gulf of Mexico.  Until the magnitude gets to be that large these events will be a nuisance rather than a disaster.

Where Does EMC Go After NSA Revelations

EMC seems to have quite a problem on its hands now that rumors have circulated that their RSA division has been accepting payoff from the NSA.  We have seen shareholder lawsuits against IBM for not disclosing business risks involved with losing business internationally as a result of working with the NSA.  Related risks for EMC include failure to disclose NSA involvement to shareholders in their regular SEC filings, loss of business internationally and domestically from the customer backlash, and regular reaming from the security community at conferences and other venues.

The weekly chart of EMC shows support/resistance below 26.  A play in the direction of the break down/out could be available.   This is a wait and see trade where we need confirmation before entering.

2013-12-24-EMC-TOS_CHARTS

TGT Loses Payment Card Info Resulting In A Dip

After the breaking news over at KrebsOnSecurity that Target (NYSE:TGT) has been impacted by a payment card breach it is time once again to look for a dip to buy.  The low point at approximately $61 matches up with some decent support and resistance levels from 1Q13.  TGT is riskier than other sectors due to the retail environment at this time of year.  Any attempt to buy the dip should be done close to $61 with a very tight stop.  Any general bad news from the retail sector could blow this trade up.  Low trading volumes from the financial industry taking vacation could also cause large price swings in either direction. Short Put Verticals are not the best for this, though an ATM Long Call Vertical will give about 50/50 odds over the next week.

2013-12-20-TGT-TOS_CHARTS

 

Update: We decided to go with a weekly 62/63 Long Call Vertical.  Closing out one day before expiration gets about a net 18.00 per contract.

Emoji May Be The Language Of The Future In Business

Business Insider is covering the use of Emoji in communication.  This is something that is sure to outrage Grammar Nazis and those who are proper language traditionalists. Rather than panic and wonder how the youth are going to make it, we should step back and think outside the box. We already have situations in business where proper English is not spoken. Go into any warehouse or assembly line staffed by immigrants and you will find less than perfect written and spoken English. Chinglish is also a term applied to products that have had poorly written translation software applied to make the translation from Mandarin to English. The translation may not be perfect, but we understand what the general meaning is.

A well known SciFi writer has created a world in the future where English and Mandarin are the official languages of the human race. What if that isn’t the case? What if a new abbreviated language such as the one teenagers use for texting is the unified language of the world? What if we become like the Ancient Egyptians and move to a hieroglyphic language to be all inclusive? This is where emoji may fit in. The old view of business is dying out as the Baby Boomers retire from the workforce. There are many VP’s today who don’t perform drug testing because it’s outdated and it takes away from the bottom line. There are also many people in GenX and GenY who will hire subject matter experts, no matter what their fluency in English is. If we can communicate in the made up language of Chinglish, why not communicate using other ways? The only thing holding us back is an outdated mentality of thinking something has to be done a certain way, rather than something has to be done.

 

Refusing To Hire Black Hats May Be Risky And Costly

The topic of hiring reformed Black Hats continues to be a matter of debate.  Some believe that ‘You’re shooting yourself in the foot if you’re not willing to hire a hacker’ while others believe such an idea is preposterous because it is not possible to reform any person who has been convicted.  Others may believe it simply doesn’t look good to hire convicted felons and dismiss the thought.  Unfortunately it isn’t possible to do that in the US and the continuing attitude toward convicted felons must change.

On April 25, 2012 the Equal Employment Opportunity Commission (EEOC) released new enforcement guidance regarding the Consideration of Arrest and Conviction Records In Employment Decisions.  In summary the enforcement guidance prohibits blanket policies that prohibit hiring convicted felons.    Security professionals should speak to HR, Legal, and other stakeholders to determine the proper processes for applicants.  If two candidates with similar qualifications apply, an employer can not simply choose to not hire the felon.

Employers must now take a variety of factors into consideration such as age at time of conviction, employment history, number of offenses for which there is a conviction, rehabilitation efforts, and other criteria.  This creates a layer of complexity in screening applicants. Businesses are starting to reconsider the importance, and more importantly, the liability associated with pre-employment background screening.  Risk averse organizations may choose to forego criminal background screening since one defense against a discrimination claim is that the applicant’s background was never checked.  The risk of an applicant alleging discrimination is also why many legal and compliance professionals recommend against social media reviews.  If you do not know an applicant’s religious or other affiliation, it is easier to defend against a discrimination claim.

One aspect to consider is whether or not the candidate is a good fit for the organization.  Personality and demonstrable skills are becoming more important than degrees and other factors.  Should we consider arrest and conviction history among those other factors?  Security professionals are conditioned to believe that everyone must be squeaky clean.  In terms of stakeholder management this attitude does not always bring shareholder value and may be at odds with the strategic direction of the business.

The organization’s Corporate Social Responsibility (CSR) policy or Compliance & Ethics Program may require that the organization hire convicted felons as a means of helping them rejoin society.  Such policies can also help reduce recidivism.  The CFO may also become involved in the discussion as well.  The US Department Of Labor  Work Opportunity Tax Credit can save the company $1600-$9600 depending on the employee hired.  Maximizing tax efficiency is one thing that finance and accounting professionals do.  There can be a financial case for hiring convicted felons, especially in the information security discipline.

The topic of hiring reformed Black Hats is controversial, but when the complex legal requirements are considered the possibility of government sanctions make the idea of hiring Black Hats worth considering.  Information Security professionals can take part in the strategic direction of an organization by working with HR, Compliance & Ethics, and Finance to enhance the organization’s overall goals.  We have attempted to end discrimination based on a person’s skin color.  The color of the hat they wear is something we should also add to the list.

“It doesn’t matter whether it’s a white cat or a black, I think; a cat that catches mice is a good cat.” — Comrade Deng Xiaoping

Leaking Data Does Not Hurt Value

At first glance it looked like $BAH would never get another government contract.  But now $BAH is up 30% from when it was revealed that Edward Snowden worked for them.  They are unlikely to be “leaked out of business” by Snowden’s actions.  This adds to the historical evidence that companies do not go out of business if IP is leaked or stolen.  It appears that the cliche of any publicity is good publicity is at work. 2013-08-02-BAH-TOS_CHARTS

Improve Security and Efficiency By Going Cloud

Microsoft’s cloud trust study indicates cloud security is a matter of perception.  A recent Trustworthy Computing survey indicates that small businesses that try cloud services seem to appreciate what they have to offer.  This is no surprise since they are in business to make money, not manage infrastructure.  Outsourcing is an opportunity cost decision.  In almost all cases the impact to the business cash flow statement will override any concerns regarding outsourcing vs. insourcing.  Small business survival depends on the adoption of LEAN principles.  Reducing waste reduces cost.

94 percent of SMBs have experienced security benefits in the cloud that they didn’t TwCCloudSMBTrustinfoUS_Page[1]previously have with their on-premises service, such as up-to-date systems, up-to date antivirus protection and spam email management.

91 percent of SMBs said the security of their organization had been positively impacted as a result of cloud adoption

Many non-technical SMBs without full time IT staff are going to experience benefit from cloud services.  In order to get the full benefit of security monitoring, it has to be a dedicated 24/7 function.  An 8-5 business that doesn’t generate revenue for the other 16 hours is sinking money in performing this function themselves.  From a financial point of view it almost never make sense to ramp up a 24/7 IT shop in these circumstances.

While the survey discusses businesses with 25-499 PCs  there is another demographic that cloud services can provide benefit to.  Studies indicate that up to 50% of the US workforce will be self-employed by 2020.  The group that stands to benefit most from cloud services is the 1-5 person company where everyone involved is an owner/operator and all other work is subcontracted.  Cloud services make the most sense where the owners are the salespeople and unrelated people are subcontractors.  It doesn’t matter if you’re selling IT services or office cleaning services, you are already taking on risk from subcontracting.  Let’s pretend you are selling IT services and you find a few generic MCSE’s to do the hands on work that are 1099 contractors or B2B such as LLC to LLC.  If your entire business is built around finding these freelancers to do the work, you are already outsourcing.  What possible reason could you have for wanting to insource your IT infrastructure or personnel?

Security professionals that only look at security may survive in Enterprise IT.  In SMBs every employee is not an IT professional, an accounting professional, etc.  They are stakeholders.  The ability to diversify your portfolio of skills, roles, and personality traits is what will make you a winning team member and a winning investor.

Information Security, Trading, Business