The hacking of Equifax and its consequences, as they become clearer, have wreaked havoc in the corporate world and as more information becomes available, the story once again appears to be one of negligence and procedural flaws.
Because of the breach, crucial data including social security numbers, addresses, and credit card numbers among other personal identifying information of an estimated 143 million Americans has been compromised. The company is now gearing up to face a barrage of lawsuits, with experts estimating it could end up paying even more than Target’s $70 billion in damages.
Data breaches, especially large data breaches such as the recent Equifax debacle, is a time when discussions and debates regarding the dos and don’ts heat up in the IT security arena. All business leaders and CEOs (other than the ones making the headlines) are relieved and fearful at the same time.
They are relieved that it is not them but someone else taking the hit of yet another data breach. However, with this relief, there is also a lingering sense of fear, for they understand it could very easily have been their company in place of Equifax. Thus naturally, like the environment created in the aftermath of the Target data breach, this new breach will be a time of introspection and review for companies, especially those dealing with critical consumer information. So, what can organisations learn from the Equifax data breach, which experts say is the largest ever in American history, even bigger than Target, Yahoo, and Sony?
1. Prepare for the inevitable
The company, in its official statement, said an “application vulnerability” on one of its websites led to the data breach. The application in question is called Apache Struts and is employed by many other large corporations and government agencies. A U.S. State Department-run internet security firm had identified the flaw and had brought it to the company’s attention two months before the breach had taken place, Equifax said in its press release. In those two months, Equifax said its security department “took efforts” to patch the application flaw. Clearly, that did not work. Hackers successfully targeted system despite the company knowing it was under threat.
This debacle is a clear message to all companies that handle critical data: set up an emergency process to secure sensitive data as soon as a vulnerability is detected. In Equifax’s case, it seems that even while “efforts” were underway to patch the application flaw, customer data was vulnerable for months before it was eventually compromised. It appears that the company had no substitutes and the management decided to keep going with business as usual until the inevitable happened.
The truth of the matter is that in most cut-throat business environments, taking servers down or troubleshooting after the detection of a vulnerability can be hard on the bottom line. Even so, costs should not have been a problem for Equifax is a company that earned nearly $500 million in profits last year. Regardless, even organizations that may not have $500 million in profits need to pay attention and prepare for the inevitable. Do not let costs come in the way of protecting your data because you will end up paying much more if you do not have an alternate in place.
All data handling companies should have an alternate plan ready to be implemented as soon as a vulnerability is detected. The planning process should not begin AFTER the detection. It should have been already in place. For a company of Equifax’s size and scale, two months is an adequate time frame for them to have patch the application flaw. But it is astounding that they had no alternatives or Plan B in place.
2. Do not take minor breaches lightly
Reports show that Equifax had faced two other breaches earlier this year, though no crucial data had been compromised. However, this suggests that the company’s security systems were lacking and that, despite two alarm bells, the required upgrades were not made.
For others out there, please know that reacting rapidly to minor breaches is crucial because sometimes it is these minor gaps that lead us to bigger flaws in defense. Do not take minor breaches lightly! Take these breaches as an opportunity to streamline and smooth your systemic process of protection, detection, and reaction. It should be a time for security incident response teams, security engineering, and security operations teams to sit together and understand how they can work together to make this process more efficient.
3. Re-examine the Big Picture
By focusing on patchwork and password management, which is normally what we do after a major cyber-security breach, we end up missing a far deeper and much troubling problem: the fundamental design of the infrastructure. Knowing the state of security today, it’s absolutely crazy to give one server, desktop or laptop have access to over 100 million records. Any system which is designed to allow access to that many records from a single source (or cluster of the same type of sources) should have never been allowed out of the design stage. Security shouldn’t, end at patch management and pen testing. Bigger gestures are needed.
Systems must be designed with the idea that at some point they can be compromised. This means limiting trust and, making sure there are barriers at different stages. With each step of the design, there should be an idea of where this service sits within the security model and what the consequences of that service being compromised will have. Thinking along these terms arms you with the understanding of what level of security you should have around those services. No single system should have access to all data on the firm’s data center. Segmentation is another scheme to reduce the amount of data can be breached.
4. Be Proactive
After the first breach took place and was confirmed, Equifax executives waited six weeks before announcing what had happened. During these six weeks, hackers had more than enough time to exploit all the bank and credit card information they had stolen. This has painted the company in an even worse picture, making it seem like the executives and leaders were too embarrassed to let the public know they were at risk. And even after the public announcement, their responses and strategies, such as free credit monitoring for those who waive their right to file a lawsuit, have all but caused annoyance with customers.
While it may not be very pleasant to imagine yourself or your company in a situation like this, it is essential to do so. All organizations should have in place a basic crises management strategy to deal with a major data breach, primarily to minimize damage to customers. It is futile to try to wait on the news like Equifax did, causing only more loss to itself and its customers. Instead, a process should be in place to immediately alert critical stakeholders and to facilitate the affected customers. One thing is sure, when these kinds of major breaches happen no company can be 100% prepared. However, having an annually simulated drill under the supervision of appropriate third party auditors can place your company is better position in case of actual data beach.