Equifax Data Breach Settlement is a Warning Shot to Businesses Everywhere
Brian Thomas | July 26, 2019
The summer of 2019 is proving to be a cybersecurity record breaker – for all the wrong reasons. In the past two weeks, businesses in Europe and the U.S. were levied massive penalties after probes into data breaches that left consumer data exposed.
That record didn’t hold for long. This week, credit reporting giant Equifax felt the wrath of state and federal investigators. Following probes into its massive 2017 data breach — which resulted in the compromise of personal information, including Social Security numbers, of 143 million Americans — Equifax agreed to pay up to $700 million in fines and reparations. That’s almost three times the fine imposed by GDPR regulators on Marriott and British Airways combined.
Nearly two thirds of breaches follow the Equifax pattern
Perhaps the biggest takeaway from the Equifax breach is that it could have been mitigated. Hackers are increasingly sophisticated, but they also prey on sitting targets who fail to maintain proper security hygiene and the most elementary security protections. As Wired magazine reports, a known vulnerability in the company’s Apache Struts web application software proved to be an easy exploit for hackers. While a fix had been available for months, Equifax had not yet patched its systems, which is all too common for organizations (as BitSight has observed recently with organizations failing to address the BlueKeep vulnerability, for example).
Vulnerabilities aside, what unites these breaches is that no one is paying attention to the strategic risk that a company’s security posture poses. This is particularly true of the C-suite and boardroom where security is often overlooked until a breach occurs. Then, when words like “inept” and “negligent” are uttered, executives begin to take notice because they understand the impact upon their organizations’ reputations and credibilities.
But if businesses won’t regulate themselves, governments and policy makers are happy to step in. That’s why Europe has GDPR and U.S. states like California and Ohio are following suit with their own data privacy laws. Meanwhile, The Washington Post reported that federal U.S. policy makers are increasingly questioning whether “only through tough, new federal laws would Equifax and other companies truly improve their digital defenses.”
The table stakes are high
Understanding the risk and exposure your company faces must be at the forefront of strategic discussions and planning. The challenge for many organizations is that they lack visibility into the true nature of risk – in their own operations, across their third-party vendors and supply chains, and even M&A targets. How do you remediate a risk you can’t see?
As the costs of cyberattacks skyrocket, traditional manual risk assessments are falling short. A better approach would be to implement a data-driven and dynamic measurement of your organization’s cybersecurity performance using tools like security ratings.
Security ratings automatically monitor the security status of your organization, third-party vendors and suppliers, and even acquisition targets for vulnerabilities and risk vectors on a continuous and global basis. With insight into security liabilities, risky user behavior, security diligence such as patching cadence, and even compromised systems, you can take the right steps towards reducing risk.
Now’s the time to proactively identify, quantify, and manage cybersecurity risk throughout your ecosystem. As GDPR and now Equifax’s record-breaking fine show, if you’re not staying on top of the rising cybersecurity table stakes, law makers and regulators may try to kick you off the table.
Between difficulty communicating with boards and executives, decreasing budgets, and difficulty measuring how exactly risk was being reduced, security leaders are under pressure to change the way they do things. The situation for security...
Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...
In the cybersecurity industry we deal with news of breaches or potential threats nearly every day, but when you really think about it, it’s bizarrely rare how little these events impact our everyday lives. Yes, they impact the professional...