The multistate settlement over the 2013 Target data breach outlines the kind of security measures enterprises should have in order to not be found negligent with customer data. The problem is, the settlement doesn\u2019t go far enough to improve organizational security. For the pro-active CSO, the settlement should indicate the bare minimum and not what they should aspire to.Tom Kellermann, CEO of Strategic Cyber Ventures and the former CSO of Trend Micro, called the terms a \u201cslap on the wrist\u201d for Target and said they were insufficient as they focused on keeping attackers out and not on improving response. Modern security needs to focus on reducing the amount of time between a compromise when detection, and making it harder for attackers to carry out their operations. While network segmentation and two-factor authentication will slow down attackers, the bulk of the terms are still defensive in nature.\u201cThey [settlement terms] represent yesterday's security paradigm,\u201d Kellermann said.To briefly recap, criminals stole credentials from a third-party HVAC vendor and gained access to Target\u2019s network, and then proceeded to infect payment systems with data-stealing malware just before the beginning of the holiday shopping season back in 2013. The malware skimmed credit and debit card information belonging to about 40 million consumers, along with personally identifiable information (PII) for 70 million people. While Target\u2019s security systems had detected the breach, no one understood the significance of, or acted upon, the alerts, resulting in the massive data breach.To its credit, Target since then has toughened its security posture and made significant improvements, and many in the industry tout the retailer as a good example of how to recover from a data breach. The settlement gives Target 180 days to \u201cdevelop, implement, and maintain a comprehensive information security program,\u201d but most of the terms refers to the changes the retailer has already adopted."[The] settlement with Target establishes industry standards for companies that process payment cards and maintain secure information about their customers," Illinois Attorney General Lisa Madigan said in a statement.The reference to industry standards suggest that future breach-related lawsuits may use the Target settlement to try to prove the organization did not go far enough in protecting personal information and other sensitive data. The settlement reiterates some of the basics, such as having a comprehensive security program, segmenting the network and implementing stricter access control policies to sensitive networks and data.\u201cAll organizations that store valuable data need to implement a comprehensive security program that includes continuous risk assessments and a responsible executive that is accountable and actively involved in the program,\u201d said Steven Grossman, vice-president of strategy at Bay Dynamics.Laundry list of what to doTarget agreed to tighten its digital security, which includes:Develop and maintain a comprehensive information security programMaintain software and encryption programs to safeguard people\u2019s personal informationSeparate its cardholder data from the rest of its computer networkRigorously control who has access to the networkRegularly bring in an independent and well-qualified third party to conduct regular, comprehensive security assessments of its security measures.Hire an executive officer to run its new security program and serve as a security advisor to the CEO and the board of directors.Other must-have safeguards are specific to the payment systems and \u201ccardholder data environment\u201d:Whitelisting to detect and block unauthorized applications from executing on payment systems and serversFile integrity monitoringChange management to detect unauthorized changes to applications and operating systemsLogging and monitoring all security-relation information and devices attempting to connect to the sensitive network.None of this sounds particularly advanced. In fact, network segmentation is an IT best practice and something companies should already be doing. It is nice to finally see a mandate that calls for two-factor authentication on individual, administrator and vendor accounts. The fact that card information has to be encrypted is a basic part of the Payment Card Industry-Data Security Standard (PCI-DSS) requirements, and just reiterates that encryption needs to be at the center of any comprehensive security program. The settlement also reminds Target that it has to keep up with patching and software updates."Target shall make reasonable efforts to maintain and support the software on its networks, taking into consideration the impact an update will have on data security in the context of Target's overall network and its ongoing business and network operations, and the scope of resources required to address an end-of-life software issue," according to the settlement.What\u2019s missingConsidering the initial breach came from the third-party vendor, the settlement is vague on what enterprises should be doing regarding their partners and contractors beyond \u201cdevelop, implement and revise as necessary written, risk-based policies and procedures for auditing vendor compliance\u201d against existing security policies.\u00a0Requiring two-factor authentication for contractors and vendors will make a difference, but enterprises need to have a clearer idea of what other risks the third-party poses to their environment.\u201cIt is essential that outsources know what services third-parties are performing, what controls they have in place, and verify that these controls are operational,\u201d said Charlie Miller, a senior vice president with the Santa Fe Group\u2019s Shared Assessments Program. Enterprises need to have processes that determine what kind of restricted access and security controls are appropriate when bringing a third-party onboard.The settlement also talks about penetration tests and other ways to assess security measures, but it stopped short of asking for continuous assessments. \u201cThe recommendations on assessing risks using penetration testing are not enough,\u201d Guy Bejerano, CEO and co-founder of SafeBreach says. Enterprises can\u2019t rely on once-a-year, or periodic penetration tests to stay abreast of all the threats, because new vulnerabilities are always being found and new attack tools being developed.The CSO needs to oversee and run the security program and advise the CEO and the board of directors, but the settlement did not mandate the individual report directly to the CEO and the board, which is a miss. In many enterprises, the CSO, despite being a C-level executive, doesn\u2019t report directly to the CEO, and is shuffled under the CIO, the CTO or even legal. The CISO\/CSO should report directly to the CEO and receive a separate budget from that of IT.Industry standards are still a low barAs part of settling with the states, Target has to pay $18.5 million. While New York Attorney General Eric T. Schneiderman touted this agreement as the largest multistate data breach settlement to date, it is pocket change for a company that reported over $20 billion in profits last year and has already paid $202 million in legal fees and other post-breach costs over the past four years. This isn\u2019t even the first settlement, as Target settled for $39 million with the financial institutions affected by the breach and allocated $10 million for the consolidated class action lawsuit (along with the $6.75 million for plaintiffs\u2019 attorneys fees and expenses).There have been concerns that companies might deprioritize security activities and risks because it is cheaper to just pay the fine after something goes wrong\u2014instead of putting in the time and effort to do it right. The settlement doesn\u2019t do anything to change that viewpoint, but the fact that some of the basics are now codified as \u201cindustry standards\u201d may at least raise the bar to the bare minimum. For many organizations, segmenting the networks and adding more security layers around sensitive data environments can make a huge difference in how easily criminals can move around or steal information.