Ready to Start Your Career?
September 8, 2017
5 Things Every Organization Can Learn from the Equifax Breach
September 8, 2017
By now you’ve most likely heard that the Equifax breach has hit 44% of the population in America, not to mention the consumers effected in the UK and Canada.In a statement released by Equifax Inc. (NYSE: EFX), which provides little detail other than to note that the impact of the breach reaches approximately 143 million U.S. consumers, indicates that a compromise “exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017.”This breach is especially worrisome as it involves personal identifiable information (PII) including birth dates, addresses, social security numbers, driver’s license numbers, and credit card information.Ouch.As news of the Equifax compromise began to spread, so did the chatter on social media about the impact of this latest “major” breach.There has already been much conjecture as to how this could have happened to such an organization which, as aptly stated by Equifax Chairman & CEO, Rick Smith, is “clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do.”Cyber security professionals are already pointing fingers and assigning blame: to the company itself; to the developers of the web application for allowing the vulnerability to exist; to the Experian Cybersecurity team for failing to detect the attack; to certain Cybersecurity products that were employed by Experian; to certain product vendors that cite Experian as a customer success story or ‘use case.’As noted by Alex Stamos, CSO of Facebook, the blame game should not even enter the conversation, but rather, the discussion should be solution focused.“The security community has the tendency to punish those who implement imperfect solutions in an imperfect world,” Stamos said. “We have no empathy. We don’t have the ability to put ourselves in the shoes of people we are trying to protect.”Practitioners need to take a closer look at the systemic, cultural, and procedural failures that led first to the compromise itself and the failure to detect the compromise for nearly three months.Today companies and their cyber security teams are beginning to ask the questions, “Could this happen to us?” and “Are we doing the right things to prevent this type of compromise?” Although a step in the right direction, simply posing the questions does not offer a solution.There is always more preventative security measures that can be taken. Organizations should use this unfortunate Equifax instance as a learning opportunity to perform an evaluation of their security.
Specifically, there are 5 things every organization can learn from the Equifax breach:
- Security is not simply a matter of budget. We can make the assumption that a company like Equifax has a larger security spend than most. That being said, it’s a matter of changing the mindset from “If only we had enough money, this problem would be solved” to “How effective are the resources we have? Maybe they need to be reallocated.”
- Detection takes too long. In the case of Equifax, three months is faster than the industry average, but the second an attacker has access to your systems, too much time has lapsed.
- Take an offensive approach to security. Operate with the mindset you are constantly under attack (which chances are, could be true). Build your operations with this in mind so the focus is on prevention rather than recovery.
- Encryption is a useful tactic. Although a cumbersome tool to employ, the benefits speak for themselves.
- Assume that all ‘trust’ your brand had has revoked and immediately work to rebuild it. Perhaps the biggest flaw in the aftermath of this breach was the request for more consumer PII from an organization who demonstrated they cannot be trusted with it. (That is, the “determine if your personal information may have been impacted by this incident.” Which prompts users to enter their last name and part of their social security number.)