Two years on from its massive data breach, Equifax still serves as a cautionary tale for the enterprise to start paying attention to their cybersecurity systems. In 2017, the credit report giant found that cyber-criminals gained access to corporate data, such as customers’ Social Security numbers, birth dates and addresses, during the incident. A large number of UK and Canadian customers were also affected. Although the breach occurred over two years ago, we have only recently been able to unearth what really went on. So, two years later, what lessons have been learnt from the breach?
The Equifax breach, like all major data breaches, was not caused by any single determining factor. Rather, it was the result of an amalgamation of poor security hygiene and costly mistakes that led to the episode. The Equifax data breach saw hackers active on its network for 76 days before the organisation realised, affecting as many 147 million consumers from the US, Canada and the UK.
Equifax is now currently liable to compensate the affected customers for US$125 each, or free credit monitoring – however, this is meant to come out of a US$31 million fund. This means that if all 147 million customers chose to be compensated, each customer will only receive 21 cents each as compensation for having their data leaked. The breach has also resulted in Equifax spending $1.4 billion to try fix its security.
Why are we still using passwords?
While the company reported that the attackers gained access to this data by exploiting a “website application vulnerability”, they failed to provide further information until it was revealed that Equifax’s staff used the default username and password “admin” to protect the sensitive information that was accessed by the hackers. This is not an isolated incident – large companies often use passwords as the gatekeeper for their data, when a more robust approach is necessary. The class-action lawsuit that the company currently finds itself in ultimately led to the rehashing of conversations in the cybersecurity realm about the organisation’s lack of attention to their data security approach.
Passwords are the scourge of the cybersecurity sector – they need to be eliminated entirely. Passwords are ingrained in our society because they’ve been around for over 60 years, but this doesn’t mean it’s the safest way to secure our digital lives. According to Verizon’s Data Breach Investigation Report, stolen user credentials are still responsible for 80 per cent of hacking-related data breaches. The onus is on the technology industry and the enterprise to work together to drive security forward by replacing passwords with new capabilities such as zero sign-on, software and hardware tokens, behavioural analysis and biometrics.
While poor passwords can’t be blamed entirely for the Equifax data breach, they were one of the many mistakes that led to it. Killing the password once and for all is one of the only ways we can ensure breaches such as Equifax don’t repeat themselves in the future.
Time to forget about trust
Perhaps the most pressing concern raised by the Equifax data breach was just how vulnerable the modern enterprise network is. Modern work takes place in a mobile-cloud environment, outside the traditional security controls designed to protect the network perimeter. In order to adapt and protect sensitive information in today’s working environment, organisations must move to adopt a zero-trust approach.
Zero trust is a security concept based on the belief that organisations should not automatically trust anything, both inside and outside of its perimeters. It assumes that everything trying to connect to an organisation’s network has been compromised, and thus must be verified. Before granting a user access to corporate resources it seeks to validates the device, establishes user context and verifies the network.
A zero-trust approach responds to this security flaw by allowing access to data and resources after a series of verifications focused on identity, the device used, data access permissions and gateway. These factors are used to verify every device that attempts to join the organisation’s network, creating an environment that protects sensitive data from both internal and external threats. It is the only way to ensure remediate and detect against the type of threat vectors that had such a severe impact in the Equifax case.
Education is key
Humans suck at security and we aren’t going to get any better. With the cybersecurity space constantly advancing, employees need to be up to date on the latest security protocols. In another of the year’s big cybersecurity stories, Capital One fell victim to one of the most dangerous data breaches ever, when one hacker got access to over 100 million Capital One credit card applications and accounts. Most alarmingly of all, it was an inside job. Companies are accustomed to protecting against outside threats that target sensitive personal data, but they lack when it comes to protecting against internal threats. By keeping all employees up to date on the latest security standards, companies can ensure a firm security posture and hopefully, we’ll start to suck a little less.
Brian Foster, SVP Product Management, MobileIron