Lessons from the Equifax Breach
There are many lessons to be learned from the 2017 Equifax breach, (one of the three major national credit reporting agencies). A key one: pathetically weak IT disciplines leave businesses vulnerable to attack. Two months after an industry group discovered the coding flaw in their data systems and shared a fix, hackers took advantage of that flaw at Equifax.
This raises questions about why Equifax didn’t update its software successfully when the danger became apparent. But don’t think that the blame for these kinds of massive problems rests solely, or even mostly, on inadequate technology – even with its flaws. In this case, the Equifax breach was created by a combination of poor password discipline and inadequate software maintenance. These are procedural and process issues. While procedural and process issues hover over technology – technology is not to blame, per se.
Important Lessons from the Equifax Breach
This compound root cause underscores the value of a holistic, disciplined approach to information security – an approach which combines and integrates internal process discipline, uncompromising standards, and maintenance rigor.
The deficiencies at Equifax could have been revealed with even the most basic security and procedural compliance audits.
“The Equifax data compromise was due to (Equifax’s) failure to install the security updates provided in a timely manner,” said the Apache Foundation, which oversees the widely-used open source software.
If that weren’t enough evidence of lack of discipline and rigor, according to security blogger Brian Krebs and quoted by the BBC, Equifax’s online employee tool used in Argentina could be accessed by typing “admin” as both a login and password!
While Equifax is one of the largest consumer information repositories, there are between 3,000 and 4,000 other data brokers that are collecting, saving, and selling information about you. It’s probably safe to guess that half of them are companies you’ve never heard of and have no business relationship with.
Information today is commerce. It’s like the old Faberge shampoo commercial from the 80s, “…she tells two friends, and then she tells two friends…” The companies that collect and sell your data don’t need to keep it secure in order to maintain market share.
Global Footprints Make Things Worse. It’s important to remember that a weakness in one location can affects all others. By not having standards, discipline and rigor, negligence can reach the criminal level.
If we look at Security & Compliance breaches from 2016 to this year, reported data breaches increased by 40%. Yahoo’s was the largest in history – 1 Billion accounts hacked in 2013 and then another wave in 2014. Equifax seems small in comparison (143 million users), but the data was more impactful. Both incidents could have been avoided.
To Err is Human…
The list of potential human error risk factors is long, including not updating systems security or patches timely or appropriately, not managing system patches, lost or misplaced devices, and the use of common default passwords and user IDs. Why would using “admin” for either ever be a good idea?
So, what are the consequences of these security breaches?
- Enormous brand damage – typically reflected in share process
- Forced shut downs
- Lost jobs
- Lost market share
- Heightened regulatory scrutiny
- Unanticipated extraordinary costs
- Damaged and devalued brand identity
- Irreparable damage to victimized customers
The Security and Compliance Audit is Essential
The Equifax vulnerabilities that led to the breach (delayed updates and poor passwords) would have been captured in any reasonably rigorous Security and Compliance audit, or assessment.
A sound assessment comprises:
1. A review of the firm’s security policies and procedures.
Does the firm HAVE a sensible information security policy? Is it current for both the specific software and systems you’re using? Is everyone accountable for and on-board with it?
2. Are periodic audits of the policies and procedures performed.
Annually (at minimum) corporate data and what level of security is required for each type of data must be assessed, expired passwords must be ferreted out and updated – and software patches and updates must be applied. By auditing your systems and employee behaviors, you can find the small vulnerabilities that can lead to significantly larger ones.
3. Be highly sensitive to the human behavioral component.
The human factor is usually a major problem.
Employees can be sloppy. With Equifax, it was a human problem, NOT a technical problem. Above all else, assure policies are in place, adhered to, trained and ingrained into everyone’s daily behaviors.
4. Put in place a remediation plan.
The moment you realize your organization’s information has been compromised, and that doesn’t always happen immediately, the whole team must spring into action and know what to do. That doesn’t happen without training and re-training.
In the Equifax case, as in many others, poor process disciplines, poor policy, and poor administration of the policy are at fault. A lack of audits are what enable human error that goes off track. Managing cyber-risk is a multi-faceted, whole-organization effort that requires strong policies, procedures and buy in.
BE PREPARED is as appropriate and meaningful to commerce as to the Boy Scouts.
Not a member-scholar yet? Join our financial community here!
Identify your path to CFO success by taking our CFO Readiness Assessmentᵀᴹ.
For the most up to date and relevant accounting, finance, treasury and leadership headlines all in one place subscribe to The Balanced Digest.