In Equifax data breach, three hard lessons in risk

Equifax Security Breach CEO Richard Smith
REUTERS/Kevin Lamarque

How much security risk can an organization accept before it’s on very thin ice? The equation is simple: decide how much money it will take to reduce the risk, and how much more money an organization will earn by accepting that risk. Equifax presumably decided that accepting a large amount of risk, in hopes of making a larger amount of money, was a good gamble. In the case of the massive data breach, Equifax lost that gamble badly.

As we now know, the most amazing thing about this utter disaster is that it didn’t need to happen. The breach was completely avoidable. Equifax was compromised through a vulnerability that was discovered and fixed by the vendor months before it was exploited at the company. The solution was a simple security patch. There are three key lessons from a risk perspective that any CISO, CIO or CFO should have seen coming on this breach.

Too risky to patch

Why was the Apache Struts patch not scheduled to be applied? I’ll wager the answer was that business leaders decided the patch was too risky to apply. Even simple patches require people, resources and time to integrate, test and deploy. There is always a risk a patch could take a system off line which of course could mean a loss in revenue and an increase in operating costs. I would further wager Equifax management will fall back on an excuse to “pass the risk on to the business.” In this well-worn play executives allow each business unit to determine what risk is acceptable to them which eventually turns into “the risk of not meeting targets” versus “the risk of applying the right level of security.” From financial institutions to healthcare, I hear echoes of this same idea first hand. The pain of missing a bonus or a  goal is far higher than the intangible risk of being breached. No one is taking the big picture view on risk.

There is an irony here that cannot be ignored. Over $75 billion was spent worldwide last year on security products and services, yet breaches keep happening. It does not matter what tools you have If you don’t take the time to understand what risks are involved in running systems that manage massive amounts of sensitive consumer data. For too long, organizations have whittled away at prudent security protocols (like testing, implementing, and monitoring) because they believe the steps will take a chunk out of revenue. Equifax is a perfect case study for this problem: The company had great revenue growth while keeping operating margins almost exactly the same between Q1 2016 and Q1 2017. Yet in the past year, organizations have been hit with some of the most devastating cyber-attacks we’ve ever seen, including ransomware attacks. When a company’s operating margins stay the same, how are they able to beef up their security? The answer is, they probably haven’t.  

Risk over governance

In addition to a failure of risk management, we also have a failure of process (not to mention ethics). Consider that three executives sold Equifax stock after the breach was detected, but before it was made public. Either the executives in question (including the CFO) knew about the breach and sold their stock believing it would eventually tank, or they really didn’t know about it. If they didn’t know about such a serious breach, then the breach escalation process within the company was broken. That is a failure of leadership. If there was a breach escalation process and it wasn’t followed, it’s still a failure of leadership. If there was a breach escalation process, and it was followed, then the sale of stock based on insider knowledge is just plain criminal.

What type of organizational culture would permit the idea of not escalating a breach of customers’ sensitive personal and financial information on to senior management? But the questionable behavior continued; Equifax continued to denigrate their brand and customer trust by appearing amateurish in their attempts to remedy the hack.  In what looked to security experts like an after hack phishing attempt, the company recommended customers visit another domain to check if they had been exposed (presumably because they didn’t want traffic going to their domain). Further, the site didn’t provide consistent information to consumers before it offered Equifax’s own service to monitor credit. It seems that there were several failures of judgement and governance both leading to and following the breach, enough that the Department of Justice has already opened a criminal probe into the incident.

Risky motives

While financial profit from the sale of sensitive data is a simple primary motive, what it if is not? We do not yet know who launched the attack. There’s been speculation that this was a nation-state attack – if that’s true, then I believe it could be part of a larger attack on the United States. I’ve believe that the only way anyone will go to war with the United States is by covertly attacking the principles that make up the country. 

Last year it was an attack on the electoral system – perhaps not directly through manipulating vote counts, but through propaganda and undermining confidence in free and fair elections. This year, there’s been an attack on the American credit system. At the moment, all of the major credit bureaus are fielding so many requests for credit “freezes” that they can’t handle the volume. A flood of credit freeze requests is equal to an attack on the credit system, since this country runs on credit. With credit freezes in place, impulse purchases may slow down, thereby slowing economic growth.

If bad actors feel comfortable tinkering with elections, and now the U.S. credit system, what will be the third leg in the stool? Wiping out the power grid? Cutting off the water supply? The real danger of such attacks – not to mention the day-to-day attacks, even limited ones, that can wreak havoc with a business –  is to fuel the paranoia and anxiety growing in the country with a goal of denigrating trust in the systems that make America what it is. This injects a third, more serious kind of risk into the equation, the risk of undermining our economy, our elections, or our resources.

As the story of this breach unfolds, it has the potential to have as significant an impact on cyber security and risk practices as Enron did on financial and disclosure practices. Will America adopt legislation similar to Europe’s impending GDPR to tip the scales in favor of consumer privacy?

Epilogue – secondary risks

The shakeout of this event is already palpable. Just this week, Experian, another of the big three credit agencies has been sucked into the vortex of this breach. The company, which also offers credit scoring and monitoring offers consumers a service to “freeze” their credit against applications for new lines of credit. Unfortunately, their “pin recovery” process can be completed with the very information that was breached in the Equifax hack. If you find that both puzzling and dismaying, then you are truly grasping both the gravity and the downstream effects of this breach on consumers.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)