The Equifax cybersecurity breach can only be described as mind-boggling. It is believed that 143-million Americans, almost half of the country, were exposed. And the information that was available for the taking is some of the most sensitive and personal available—names, social security numbers, birth dates, addresses and even driver’s license numbers. Unlike credit card numbers, you just can’t put a “stop” on these personal identifiers and you wouldn’t want to experience the headaches of trying to change a social security or driver’s license number.
A major loss aggregation service that analyzes damages of international cyber events has determined the economic impact of the Equifax breach to be $125 million, with expectations that it will go much higher. The CEO, CIO and CISO of Equifax were forced to resign. The credit reporting industry is on high alert for attempts by the US government and even major cities to adopt stricter regulatory standards due to the breach such as 23 NYCRR part 500.
People are worried and rightfully so. The Washington Post quoted former Equifax CEO Richard Smith as saying Equifax manages 1200 times the amount of content found in the Library of Congress in Washington, DC. It is not only Americans who should be worried. Equifax has expanded its business to 24 additional countries.
It’s not only that credit companies like Equifax has all of this information, it’s what they do with it as well. They slice and dice it using so many sophisticated tools, all in an effort to determine whether to extend credit to nearly one billion people. Credit, obviously, is the fuel that drives the economic engine for most of the world. Credit companies generally seek information to prevent making bad loans. So they’ll use tactics such as machine learning and artificial intelligence to cull and craft data on consumers. They will also data mine social media sites like Facebook and Twitter to unearth whatever information they can. All of this gets exposed during a breach.
Take a look at what happened to the shipping giant Maersk as an example of how a cyberattack can grind a company to a halt. You can then imagine the effect on the worldwide economy if a breach on the scale of Equifax was fully exploited. Yet, as a professional in the cybersecurity business, it is becoming more difficult to talk about the extent companies, both large and small, are exposed to this type of cyber-crime without being accused of utilizing “scare tactics.”
However, the following should scare all of us. The 2017 State of Cybersecurity Metrics Annual Report outlines the IT security effectiveness of 400 global companies. Using internationally accepted standards for security (as well as best practices from industry experts and professional associations), the report shows:
- 58% of companies fail to measure the effectiveness of their cybersecurity investments and performance against best practices.
- 1 in 3 companies invest in cybersecurity technologies without measuring their value or effectiveness at all.
- 4 out 5 companies don’t know where their sensitive data is located, and how to secure it.
- After a data breach, 64% of the surveyed organizations fail to recover in a timely manner or in a way in line with their disaster recovery plan.
- 8 out 10 companies fail to ensure that their IT security policies are understood by employees, which puts those organizations at risk for data leakage and internal data breaches.
For individuals who have been compromised or fear that they have been, the immediate actions that should be taken have been spelled out by US Federal Trade Commission. The first step is to determine if your own personal information was exposed and misused. Equifax has a website dedicated for consumers to help make that determination. As to what consumers can do to protect themselves following a breach, the FTC suggests:
- Check credit reports from Equifax, Experian, and TransUnion by visiting annualcreditreport.com. If you don’t recognize accounts or activity, it could indicate identity theft. They suggest visiting IdentityTheft.gov to find out what to do.
- Consider placing a credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name but won’t prevent a thief from making charges to your existing accounts.
- Monitor your existing credit card and bank accounts closely for charges you don’t recognize.
- If you decide against a credit freeze, the FTC suggests placing a fraud alert on your files. A fraud alert warns creditors that they should verify that anyone seeking credit in your name really is you.
- File your taxes early before a scammer can. Do it as soon as you have the tax information you need. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Also, respond right away to letters from the IRS.
Corporations, especially larger entities, can seek to address their own cyber shortcomings by turning to the International Organization for Standardization (ISO). ISO and the IEC (International Electrotechnical Commission) have a “family” of standards to help organizations keep information assets secure. The National Institute of Standards and Technology (NIST) also provides a framework for “practical cybersecurity and privacy through outreach and effective applications of standards and best practices necessary for the US to adopt cybersecurity capabilities.”
Europe is taking it a step further, developing its own set of regulations known as the EU General Data Protection Regulation. Issued a couple of years ago, it is set to be fully operational by May of 2018. It doesn’t matter if the firm is outside or inside the EU. All companies doing work with European people, if they manage process, or monitor, or hold records of EU Union members, they need to comply with GDPR. These regulations were designed to “harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.”
Of course, the pending deadline for compliance has created its share of confusion. The GDPR itself has generated thousands of new job requirements. New positions with new responsibilities will mean new people learning on the job. Many of these new positions will involve people coming in to either prepare an organization or to review an organization. Many companies will need a new person specifically in charge of data privacy. Organizations will need to perform risk assessments, compliance audits and reports. Companies are being asked to adhere to a new and much more complicated level of regulation that, naturally, has bought turbulence to the EU market. On the bright side, GDPR has created a new mini-economy for three-day conferences that explain or train on the new regulations. But there is a strong worry that the market will lack a lot of the professional expertise required to pull it all off.
There is no getting around it. In this day and age, all organizations should expect cyber attacker/s to attempt to breach their security system especially those handling Private Identifiable Information (PII). For companies, like Equifax, that are dealing with extremely sensitive information - like social security numbers -there needs to be multiple barriers protecting that information from an attacker in case one of those barriers is breached.
The bottom line is that all companies, whether ISO certified or GDPR compliant, need to constantly test and review their security posture and how they are perceived from an attacker point of view and mitigate the vulnerabilities that are eventually exposed. Unfortunately as seen in some cases such as this one, companies should also be prepared and have a plan on how they will handle a breach so that they can resolve the issue immediately and protect their customers from cyber attackers.
Eyal Wachsman, Co-founder & CEO of Cymulate
Image Credit: Balefire / Shutterstock