Failure is the best determinant of future success. There are a lot of more inspiring quotes on the subject than this, but the point is the same. To help us all learn from others’ mistakes, periodically I like to take a current event and dig into what we can learn from it.
Enter Mark Begor, the CEO of Equifax, who has the benefit of starting his tenure after the breach that exposed the Social Security numbers, credit card numbers, and other sensitive data of 148 million Americans. Notwithstanding, the Senate Permanent Subcommittee on Investigations was a whipping in the public square. Begor was joined on the hotseat by Marriott International CEO Arne Sorenson, who had to answer for a data breach that compromised the sensitive data of more than 500 million travelers. Senators apparently felt that two U.S. companies losing sensitive information on more than half a billion people was an indication that not enough is being done by either businesses or government to protect consumers.
So, you’re asking yourself, what does this have to do with me? Well, if your business has customers, there are lessons you can learn from the Equifax debacle.
It’s not about the Benjamins. A part of my business is conducting threat assessments for small businesses to help them protect themselves from hacking, cracking, and other cybercrimes. Potential clients often insist they are all set because “we bought high-end network gear, we hired a good company. We’re OK.” It’s not about how much money you have to spend. In 2018, Equifax reported revenue of $3.4 billion. If technology spending were the barometer, companies like Equifax, Marriott, Sony, Anthem, and Target would have been better protected than they ultimately were. What can you do? Don’t take this to mean you don’t need to spend money on technology. New systems have much stronger deterrents and detection. A top-tier network, firewall, and mail system can detect up to 90 percent of phishing, whaling emails, or dangerous incursions and probes into your systems. But that leaves 10 percent at risk. Hackers have to be right only once.
Authenticated users are every company’s biggest risk. Nope. All the money you can throw at tech will not protect you from an authenticated user making a mistake — even a minor one. “Patient zero” in this Equifax pandemic was an employee who did not do their job. This is the source of every single data breach that has ever occurred, by the way. An authenticated employee inside even the most secure network who clicks on something they shouldn’t, goes somewhere they shouldn’t, downloads something they shouldn’t, or fails to properly protect their own access. What can you do? Large companies often do penetration testing — sending test emails to employees to see if they’ll bite on a bad one. There are companies that offer these services — accessible and affordable for small businesses. But you can’t just beat employees up; you also have to train and reward them when they do the right thing.
People and systems need oversight, and the oversight needs oversight. Starwood Hotels, now owned by Marriott, discovered its breach in 2018. It started in 2014. According to Bloomberg Law, Equifax didn’t have a written policy on patching systems until 2015. And as late as the 2017 breach, a backlog of uninstalled patches left other systems vulnerable. As a public company, Equifax is subject to Sarbanes-Oxley audits. These internal reviews did apparently reveal these problems with technology oversight, but the systemic behaviors that left the company exposed were not corrected. Equifax even had a network data inspection system designed to catch errors and intrusions. But that system had been out of commission for 10 months before it was even noticed. Why? Its systems were unpatched. What can you do? This is one place where you can do far better than the giant U.S. corporation. Pay attention. Make cybersecurity as important as physical security, marketing, and sales. Ensure that your information technology staff or independent contractors have a daily/weekly/monthly/quarterly checklist of tasks including patching systems and reviewing error and firewall logs. Those checklists should be reviewed by a management-level staffer. Problems or omissions can’t be ignored or put off.
Ask better questions. Each time Equifax CEOs have been called to Congress, they have struggled to explain how this could possibly happen. Richard Smith, CEO at the time of the breach, told a House hearing last year that some data were encrypted and some weren’t. He talked about “varying levels of security techniques that the team deploys in different environments.” It was obvious to the questioning reps that Smith really didn’t know much about how encryption was deployed. What can you do? You might be just confused. IT companies, cloud service providers, mail providers, and web hosters throw encryption around like it is one thing, and of course you’re getting it. It’s not. You don’t. If you have any personally identifiable information (PII) that you store online or on peripheral devices, or transfer via email or data plans, then you need to ensure it is encrypted both in transit and at rest. If you don’t ask the right questions, you may not get the most complete answers.