Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.
The summer of 2019 is proving to be a cybersecurity record breaker – for all the wrong reasons. In the past two weeks, businesses in Europe and the U.S. were levied massive penalties after probes into data breaches that left consumer data exposed.
The record setting began in early July when fines were imposed on British Airways and Marriott International for non-compliance with the European Union’s (EU) General Data Protection Regulation (GDPR) data privacy requirements following breaches reported in 2018.
That record didn’t hold for long. This week, credit reporting giant Equifax felt the wrath of state and federal investigators. Following probes into its massive 2017 data breach — which resulted in the compromise of personal information, including Social Security numbers, of 143 million Americans — Equifax agreed to pay up to $700 million in fines and reparations. That’s almost three times the fine imposed by GDPR regulators on Marriott and British Airways combined.
Nearly two thirds of breaches follow the Equifax pattern
Perhaps the biggest takeaway from the Equifax breach is that it could have been mitigated. Hackers are increasingly sophisticated, but they also prey on sitting targets who fail to maintain proper security hygiene and the most elementary security protections. As Wired magazine reports, a known vulnerability in the company’s Apache Struts web application software proved to be an easy exploit for hackers. While a fix had been available for months, Equifax had not yet patched its systems, which is all too common for organizations (as BitSight has observed recently with organizations failing to address the BlueKeep vulnerability, for example).
Security remains a critical business oversight
Equifax is certainly not alone in patching speed. Today 60% of companies are breached as a result of an unpatched vulnerability.
Vulnerabilities aside, what unites these breaches is that no one is paying attention to the strategic risk that a company’s security posture poses. This is particularly true of the C-suite and boardroom where security is often overlooked until a breach occurs. Then, when words like “inept” and “negligent” are uttered, executives begin to take notice because they understand the impact upon their organizations’ reputations and credibilities.
But if businesses won’t regulate themselves, governments and policy makers are happy to step in. That’s why Europe has GDPR and U.S. states like California and Ohio are following suit with their own data privacy laws. Meanwhile, The Washington Post reported that federal U.S. policy makers are increasingly questioning whether “only through tough, new federal laws would Equifax and other companies truly improve their digital defenses.”
The table stakes are high
Understanding the risk and exposure your company faces must be at the forefront of strategic discussions and planning. The challenge for many organizations is that they lack visibility into the true nature of risk – in their own operations, across their third-party vendors and supply chains, and even M&A targets. How do you remediate a risk you can’t see?
As the costs of cyberattacks skyrocket, traditional manual risk assessments are falling short. A better approach would be to implement a data-driven and dynamic measurement of your organization’s cybersecurity performance using tools like security ratings.
Security ratings automatically monitor the security status of your organization, third-party vendors and suppliers, and even acquisition targets for vulnerabilities and risk vectors on a continuous and global basis. With insight into security liabilities, risky user behavior, security diligence such as patching cadence, and even compromised systems, you can take the right steps towards reducing risk.
Now’s the time to proactively identify, quantify, and manage cybersecurity risk throughout your ecosystem. As GDPR and now Equifax’s record-breaking fine show, if you’re not staying on top of the rising cybersecurity table stakes, law makers and regulators may try to kick you off the table.