Learn From Equifax's Most Recent Security Breach
Equifax made some serious mishaps lately, both technically and incident response. What’s really disturbing: while this is the largest, this is not an isolated incident. We won’t cover the details here, since there are plenty of sources where you can find information about the breach, its consequences, and what has happened after that.
What we will cover is some thoughts around what we can all learn from the events leading up to, during, and after the breach. At Kelser, we don’t want any company to fall victim to the same incident and aftermath that Equifax did. We match our recommendations to our clients’ business objectives, establishing a comprehensive and multi-layered strategy to manage risk before, during and after a cybersecurity incident.
Creating a strong cybersecurity posture is essential in today's fast-moving world. Sign up for our no-cost Security Study to understand where yours can be stronger.
I have spoken extensively in the media in Connecticut about protecting business assets, keeping data safe, cybersecurity in general, and shared Kelser's professional recommendations in a few guest appearances. To listen to the source audio, check out:
Equifax had the chance to keep their software up-to-date, but did not. Don't make that same mistake. Regular maintenance, including patching, is one of a few basic cybersecurity measures you can take, to improve your cybersecurity posture and reduce risk. Much of the recent media coverage emphasizes the complications and delays inherent in updating and patching large-scale applications, in an effort to explain how Equifax could have taken so long to patch a known vulnerability.
While it’s true that the process can be complicated and take some time, businesses that are serious about cybersecurity integrate critical software updates into their routine and are able to stay up to date — no matter how large or complex their application. A delay of more than a month in rolling out mission critical security updates is a sign of mismanaged cybersecurity processes. We need to look at patching and system maintenance, even if it means downtime, as part of what needs to be done to keep a business going (like month-end in accounting).
Know and Adhere to Industry Regulations
In the case of Equifax, there are no federal equivalents as large and powerful as HIPAA for the healthcare industry, or NIST for the manufacturing industry with DoD contracts. While the FTC and CFPB have been involved, they do not have the same level of authority that other regulators do, within their respective industries.
However, while there is no strong regulatory body overseeing credit reporting agencies, Equifax has data subject to standards set out by the Payment Card Industry Security Standards Council, since it stores consumer credit card information. In addition to social security numbers and other personal information (including driver’s license numbers), hackers were able to steal information on about 200,000 credit cards as part of the breach.
While the breach at Equifax may lead to a change in regulatory oversight, historically the big three credit reporting agencies have opposed them.
Regaining Trust is Difficult
The most painful lesson from Equifax's data breach will be felt in reputation and a loss of trust from customers. While they are finally taking steps to remedy the situation and offer their customers a Credit Freeze, the response has been lacking.
Another body blow to Equifax is the recent drop in stock price - dropping almost 14% in the days after the breach was announced. For shareholders, executives, and employees, this is a huge financial blow. This is compounded by allegations that Equifax executives sold their shares after the vulnerability was exposed, but before the breach was announced and that Equifax is profiting off the losses of consumers.
For small and medium sized companies, damage to reputation is very difficult to overcome and can impact the ability to stay in business.
But there's really no excuse - and that's because Equifax could have avoided this situation, but elected not to.
But the good news is that this does not have to be you. In the case of cybersecurity, it’s not a matter of if, but when. Considering that, the most respected organizations are not without fault, but find strength in the way they handle an incident, conveying confidence and resolve in their ability to fix it and make things right.
Prevention is a Step in the Right Direction...
Creating a healthy cybersecurity posture is the same as eating an apple a day and walking around the block for your good health: being proactive is the most effective way, and will cost your business the least in the long run. It’s all about managing risk and lessening the impact of an incident.
Some steps that organizations need to take to remain safe don't require mountains of capital or entirely new systems - many are as simple as training employees on the correct use of passwords or routinely keeping software up-to-date.
...But You Need to Prepare for the Worst
In 2017, it's much less a question of whether this will happen, and more likely a case of when it will happen. Having a plan in place to react after a cybersecurity incident occurs quickly puts all your team members on the same page, assigns accountability and ownership, and lays clear expectations for communicating to stakeholders outside of the company. During an incident is not the time you want to be developing a communication and incident response plan strategy.
After an incident, there also has to be a strategy for remediation, which may even include compensating affected individuals or businesses for the loss of their information, privacy, and trust.
If you don’t have all of this in place yet - don’t worry. Sign up for a free security study to get a firm understanding on how your cybersecurity posture stacks up.