<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">

Equifax Data Breach Settlement is a Warning Shot to Businesses Everywhere

Brian Thomas | July 26, 2019

The summer of 2019 is proving to be a cybersecurity record breaker – for all the wrong reasons.  In the past two weeks, businesses in Europe and the U.S. were levied massive penalties after probes into data breaches that left consumer data exposed.

The record setting began in early July when fines were imposed on British Airways and Marriott International for non-compliance with the European Union’s (EU) General Data Protection Regulation (GDPR) data privacy requirements following breaches reported in 2018.

That record didn’t hold for long. This week, credit reporting giant Equifax felt the wrath of state and federal investigators. Following probes into its massive 2017 data breach — which resulted in the compromise of personal information, including Social Security numbers, of 143 million Americans — Equifax agreed to pay up to $700 million in fines and reparations. That’s almost three times the fine imposed by GDPR regulators on Marriott and British Airways combined.

Nearly two thirds of breaches follow the Equifax pattern

Perhaps the biggest takeaway from the Equifax breach is that it could have been mitigated. Hackers are increasingly sophisticated, but they also prey on sitting targets who fail to maintain proper security hygiene and the most elementary security protections. As Wired magazine reports, a known vulnerability in the company’s Apache Struts web application software proved to be an easy exploit for hackers. While a fix had been available for months, Equifax had not yet  patched its systems, which is all too common for organizations (as BitSight has observed recently with organizations failing to address the BlueKeep vulnerability, for example). 

Security remains a critical business oversight

Equifax is certainly not alone in patching speed. Today 60% of companies are breached as a result of an unpatched vulnerability.

Vulnerabilities aside, what unites these breaches is that no one is paying attention to the strategic risk that a company’s security posture poses. This is particularly true of the C-suite and boardroom where security is often overlooked until a breach occurs. Then, when words like “inept” and “negligent” are uttered, executives begin to take notice because they understand the impact upon their organizations’ reputations and credibilities. 

But if businesses won’t regulate themselves, governments and policy makers are happy to step in. That’s why Europe has GDPR and U.S. states like California and Ohio are following suit with their own data privacy laws. Meanwhile, The Washington Post reported that federal U.S. policy makers are increasingly questioning whether “only through tough, new federal laws would Equifax and other companies truly improve their digital defenses.” 

The table stakes are high

Understanding the risk and exposure your company faces must be at the forefront of strategic discussions and planning. The challenge for many organizations is that they lack visibility into the true nature of risk – in their own operations, across their third-party vendors and supply chains, and even M&A targets. How do you remediate a risk you can’t see?

As the costs of cyberattacks skyrocket, traditional manual risk assessments are falling short. A better approach would be to implement a data-driven and dynamic measurement of your organization’s cybersecurity performance using tools like security ratings.

Security ratings automatically monitor the security status of your organization, third-party vendors and suppliers, and even acquisition targets for vulnerabilities and risk vectors on a continuous and global basis. With insight into security liabilities, risky user behavior, security diligence such as patching cadence, and even compromised systems, you can take the right steps towards reducing risk.

Now’s the time to proactively identify, quantify, and manage cybersecurity risk throughout your ecosystem. As GDPR and now Equifax’s record-breaking fine show, if you’re not staying on top of the rising cybersecurity table stakes, law makers and regulators may try to kick you off the table. 

New call-to-action

Suggested Posts

It’s Time for CISOs to Take a Seat at the Table

It doesn’t matter what business you’re in — cybersecurity has become extremely important to both your organization’s reputation and its bottom line. According to reports, the average cost of a data breach is $3.86 million.


CISOs Are Burning Out: Here’s How to Fix It

Everyone experiences stress in their jobs, but security leaders may have it worse than most. According to Dark Reading, 60% of CISOs admit they rarely disconnect from work, while 88% work more than 40 hours per week. It’s no surprise that...


IT Security Manager Responsibilities: Oversight, Reporting, Personnel Management

The role of IT security manager, information security manager, or cybersecurity manager will vary depending on a number of factors — industry, business size, network sophistication, and so on. However, a person in this role can expect to...


Subscribe to get security news and updates in your inbox.