5 Compliance Lessons Learned from the Equifax BreachPublished September 13, 2017 by Karen Walsh • 3 min read
As consumers reel from news of another major identity theft incident, businesses look for lessons learned from the Equifax breach. According to CNBC, 143 million consumers affected by the breach. The irony is lost on no one: the data breach that will lead to identity theft was perpetrated against the company responsible for helping monitor identity theft. Five main compliance lessons learned from the Equifax breach should help companies regroup.
Lesson 1: Use the Buddy System Wisely
Since the breach, everyone has been pointing fingers. First, Equifax pointed fingers at Apache. Then Apache pointed right back at Equifax.
Equifax argues that the Apache vulnerability was in the code for years. Apache points out that there’s a difference between known vulnerabilities and zero-day exploits. Even if the vulnerability existed for nine years, Apache may not have known about it and therefore may not be liable for the risk.
Imagine that Equifax and Apache Struts are in a Kindergarten classroom together. They both want to build with the classroom LEGO blocks. Apache Struts starts the foundation of the house but unknowingly leaves a weakness in one of the walls. Equifax builds on top of that and when the blocks come tumbling down, Equifax doesn’t want to clean up before playtime is over.
Regardless of who caused the mess, it needs to be cleaned up because walking across a floor covered in LEGO bricks is going to hurt.
Lesson 2: Patch, Patch, and Patch Again
Equifax argues that it was breached in May 2017, but there are two sets of code that could be involved. One was fixed in March 2017 and the other was announced only in September 2017.
If it turns out that the exploited code comes from the March 2017 vulnerability that Apache fixed, Equifax is going to be in the same boat as many others before it. An unpatched vulnerability led to a breach that could have been prevented.
Lesson 3: Don’t Let Your Business Card End Your Business
With hundreds of patches being released each month, businesses feel they’re set up for failure. The more software you use, the greater your risk of missing an important security update.
Managing this risk means understanding what needs to be done immediately and what can wait. The malicious attackers used a back door to gain entry to the Equifax information.
Consumer websites pose greater risks than most businesses recognize. While most organizations see them as digital business cards, hackers see them as entryways. Non-ecommerce websites are the perfect access point to an organization’s database precisely because they seem innocuous. Since many companies have not required a security audit on their website, they do not appropriately calculate the risk their corporate website might open themselves up to.
When engaging in risk rating your assets, it’s important to look at even the most unsuspecting areas. If you would lock the windows on the second floor of your house because they still pose a risk of robbery, then lock down that corporate website, too.
Lesson 4: Insurance is Not Invulnerability
Why is Equifax trying to point fingers at Apache Struts and vice versa? Because this breach is going to be expensive. So very expensive.
Equifax has already noted that despite carrying cyber-insurance, they aren’t sure if their property and business interruption coverage will be able to compensate those affected. Moreover, given the litigious nature of society, lawsuits have already started trickling in.
Carrying cyber-insurance can help defray the costs of a breach. Protecting your business with cyber insurance is becoming a necessity, but you also need to recognize the limitations of that coverage.
Lesson 5: Documentation of Compliance Can Save Your Business
One of the most important lessons learned from the Equifax breach is that compliance starts and ends with strong documentation. As Equifax scrambles to hire a forensic firm and locate the cause of the breach, documentation is going to be key to determining their liability. Being able to trace processes and controls can save an organization from going bankrupt or from incurring reputational damage that could end the business.
In the current climate, businesses will be breached. Being able to prove that you not only followed best practices but also constantly monitored your landscape may help mitigate liability.
In larger organizations, the documentation is harder to consolidate. With information spread across departments that use different applications, having a single source of truth can be the difference between keeping your databases safe and being an Equifax by removing compliance gaps.
Automation not only consolidates data, but it creates accountability. When organizations can show that they were working hard to protect their consumers, they gain the trust that allows them to continue to do business.
For more information about how automation can help you protect your organization, read our eBook, “eBook: Insider’s Guide to Compliance: How To Get Compliant and Stay Agile.”