Another major data breach at an American company worth billions of dollars has served to heighten cyber security concerns in businesses of many sizes in many countries. Equifax announced in September 2017 that a massive theft of data from their system had occurred. The failures of Equifax's cybersecurity team resulted in hackers obtaining the personal information of over one hundred and forty-five million of the people whose credit history Equifax tracked.
The Fallout After The Equifax Announcement
The potential economic consequences of that breach for those people are enormous. As more and more information about the intrusion becomes public, though, the more significant question becomes how this attack was allowed to happen.
It appears Equifax fell victim to two of the most frequent failures of cybersecurity, along with a few other more complex ones:
1. They failed to update their systems as frequently as they should have
2. they neglected to strengthen their human firewall.
In light of these failures, their Chief Information Security Officer resigned, as did the CEO. Experts have seriously questioned whether Equifax had devoted the resources it needed to prevent attacks like this, and it raises the question of liability for board members and executives at the company going forward.
The Equifax breach occurred through a known vulnerability in part of web software package called Apache Struts. The United States State Department had notified companies of the Apache Struts vulnerability in early March 2017. This information was sent to Equifax’s information technology team, but there was insufficient follow through. The actual hack occurred almosttwo months after Equifax received notification of the vulnerability in a system they used and continued undetected for another two and a half months.
Equifax’s human firewall failed due to their inability to put appropriate resources into information security and because they were unable to ensure redundancies into their system. Former Equifax CEO has attributed the breach to a single employee who failed to heed security warnings and forward vital information to other employees. In an adequately built system, no single employee should ever be able to cause a breach of this magnitude. Additionally, the security software used by Equifax also failed to catch the known vulnerability.
Consider that according to a 2017 study from Spiceworks, 14% of business laptops and desktops are still running Windows XP, an operating system that was replaced by Windows 7, then phased out of being supported or updated in any way by Windows in 2014. IT pros have cited no immediate need, lack of time, and budget constraints as reasons for sticking with their current OS instead of upgrading to the latest and greatest.
As is becoming standard, the breach has led to massive stock price drops, resignations, and congressional hearings. In the period following the breach’s announcement, Equifax's stock dropped by approximately 30%, causing the company to lose more than three and a half billion dollars in value. The Equifax hack makes this breach already one of the most expensive in this new cybersecurity era.
Charlie E. Bernier Principal Consultant and Cyber Insurance Expert at ECBM says, "The days when a hope and pray strategy for managing information security no longer exists for businesses that want to survive. There are billions of dollars are on the line." Your competition will just need to be available to catch the patrons that leave or avoid your business due to the damaged reputation of your company. Charlie recommends that "Successful companies will invest in mitigating against potential losses now- as it's as important as any other measures they take for business longevity and success."