Chances are, 1 in 2 adults in the US have just had their SSNs, birth dates, and addresses put on the auction block. This periodic and ongoing saga of corporate hacks just got very real.
Once again, the questions that arise are- how did this happen, and what can we do to prevent it from happening again? Now that an established and well-funded entity dealing in high risk data has gotten breached at such a large scale, what can the rest of us do differently?
From our consulting experience with leading financial institutions, here are 7 glaring issues that Equifax could have -and the rest of us should be- addressing right away. We’ll expound on each of these items in blog posts to follow.
Controls. All data that has been accessed appears to have had minimal or no controls. A well-designed system optimizes its data footprint, and ensures questions such as -Do we need this data? How critical is it? Where should it be stored? What’s the best way to protect it?- are addressed and answered. Enabling such controls can help minimize chances of data exfiltration. Equifax could have done better, given the sensitive nature of the data being handled.
Data classification. Indications are this attack, though technical, was relatively unsophisticated, implying that critical data was ‘easily’ accessible. While the best defense may be to keep your data behind an air-gap, that is not practical for obvious reasons. However, do all entries of a data record need be internet facing? Segregating data into classes with the right-fit security protocols can help mitigate impacts of hacking attempts while balancing limited resources.
Security Hygiene. A lack of easy to implement policies and procedures seems to be at play here. Basic security details such as API sanitization, up-to-date patching, admin privilege limitation, etc. especially for external-facing systems would go far in prevention of similar breaches.
Business resources. What does business have to do with IT security? Equifax’s open CISO position notwithstanding, proper risk management is achieved through a collaborative effort between business and IT. Business can not only help classify and categorize data & applications, but more importantly, drive the appropriate allocation of critical resources.
Mean Time. A realization lag followed by a weak response only helps exacerbate the situation. The mean time to discovery and mean time to remediation are both high in the Equifax breach. Are there existing protocols, policies, procedures in place for a swift and impactful response to a hack? The impacts, as can be seen, are extremely high given that class-action lawsuits are already flying.
Crisis response. From a 2013 study, only 54% of companies have a crisis plan in place. We are not sure in which bucket Equifax falls, but an organization of such standing can certainly be expected to do better. Requiring additional personal information to check if a user is affected, encyclopedic terms and conditions (including a now defunct clause on suit waiver), lack of proper countermeasures (i.e. limited credit monitoring), etc. should certainly not make the final cut of your crisis response plan. This story’s moral: Plan Ahead.
Authentication. As an industry/society, we have set ourselves up to make this kind of breach hurt even worse. Social Security numbers were first issued by the Social Security Administration in November 1935 to track individuals for the federal old-age, survivors, and disability insurance program. 82 years hence, is it now time to relegate SSNs to their original purpose? SSNs are not secret and haven’t been for decades. The question is, why are we still tying our personal identities to them? It is time to evaluate and implement modern mechanisms for authentication purposes.
Any of the above issues could allow for what happened, but when they line up, it becomes just a matter of time. Let us help you - as we have many of our clients - reduce your data footprint, build resiliency into your operations, drive visibility into your risk posture to help execute the right actions, and stay out of undesired headlines.
#informationrisk #informationsecurity #personaldata #dataprotection