Article written by
Doug Davidson
Director, Information Technology Services, Information Technology Services
Equifax, one of the “big-three” U.S. credit bureaus, announced last week that cyber criminals had taken advantage of a weakness in a web application to steal personal data such as peoples’ names, Social Security numbers, birth dates and addresses.
The announcement was marred by a suspicious breach notification website to inaccurate breach notification results to accusations of potential insider trading immediately before the breach. Equifax is facing a PR nightmare above and beyond the fallout of the breach itself. The end result is likely to be VERY costly for Equifax, particularly in light of the $70 billion lawsuit that has already been filed.
Marketing, security, legal and disaster recovery professionals will be analyzing Equifax’s response as a case of what not to do.
Senior business leadership should be asking questions, too.
If this happened to my business, would we be able to keep our doors open?
GBQ strives to help our clients identify and implement information security programs designed to prevent, detect and respond to potential security incidents in a manner that minimizes the impact to your business.
If you’re wondering whether or not your organization is at risk, ask yourself the following questions:
- Are we exposing information needlessly? Equifax has not provided technical details about how the hackers penetrated the web site. Some commentators are already questioning why such a treasure trove of information was available to internet users without any advanced protection. Likely a decision was made to house the information in a way that it could be conveniently accessed. Convenient access needs to be balanced with some knowledge of the risks involved.
- Are we patching our technical vulnerabilities in a timely manner? The attackers compromised Equifax by exploiting a technical vulnerability on one of Equifax’s Internet-facing servers. If we’re not managing our vulnerabilities appropriately, we’re at risk.
- Are we logging and monitoring internal network traffic? The attackers were on Equifax’s internal network for almost THREE MONTHS before the compromise was discovered. By that time, the damage had already been done. If we’re not monitoring our internal network for suspicious traffic, we’re at risk.
- Have we documented and tested our security incident response plan? In responding to security events, speed matters. Incident response plans are a tool that predefines how a firm will respond to security events of varying severity up to and including a breach. A good plan defines how your technical team will respond as well as how communications, legal, regulatory and insurance issues will be addressed. A well-positioned plan is tested annually to sort the kinks out before an actual incident occurs.
- Do we have a business culture where bad news travels quickly to those that need the information? Part of the PR nightmare facing Equifax (which might turn into a legal nightmare) is the fact that three executives sold Equifax stock in unscheduled trades just days before the announcement. Their defense? They didn’t know about the breach. The truth of their story will likely be challenged, but if it is true it means that the company operated for weeks with key decision makers in the dark about the event.
With the right balance of leadership, discipline and planning, you can appropriately manage the risks facing your own organization. When you’re ready to speak with someone at GBQ about your organization’s information security program, know that we’ll be ready to help.