Last week, Equifax informed consumers that a breach had affected the sensitive financial data of as many as 143 million Americans. Others in the U.K. and Canada were also impacted, but Equifax hasn’t said how many. Credit card numbers for about 209,000 U.S. customers were compromised, in addition to “personal identifying information” on about 182,000 U.S. customers. This breach now stands as one of the largest on record.
So, is this a surprise? The average consumer is now familiar with security (or lack thereof). Breaches appear on the nightly news and, as a consequence, consumers are more “security aware” today than ever before. Not only is there a heightened awareness level among consumers, but also because of the particularly sensitive and financial nature of the data held by Equifax, there is a greater risk of potential harm to consumers as it relates the finances of those who’ve been affected — and that’s a lot of people. Several federal and state agencies are investigating the incident, and consumer advocacy groups are rushing to lay blame and preparing to sue Equifax, whose notification and response plan, to date, has been less than ideal. But as Equifax reported that the breach came from an exploit in a Web application vulnerability, aside from any specifics, it’s a good time to pause and reflect on what we can already learn from this breach even before we know the full details.
Over the course of the last few years, innovation in technology has truly accelerated at a breakneck pace, introducing a more complex and rapidly evolving ecosystem to protect and far more data than has ever been managed before. More and more applications and transactions happen over the Web, the cloud is completely changing our notion of a “perimeter” around which we can build protective walls, worker mobility is redefining the IT landscape and personal employee devices of “Shadow IT” are now becoming enterprise IT.
Security isn’t necessarily about security in the normal sense. It’s about mitigating risk at some cost, and it can be expensive! This means that in the absence of metrics, we tend to focus on risks that are familiar or recent. Unfortunately, that means that we are often reactive rather than proactive and it does become very important to understand how data, people, and location weave together to create patterns — good and bad — across and within your organization. Only by understanding the data you hold, can you effectively protect it! Monitoring websites and web applications for potential hacks and exploits is now as common place as virus scanning. However, the other side of that coin is that this may lead some organizations to improperly rely on their existing scanning technologies. It’s imperative to keep in mind that most costly breaches come from simple failures not from attacker ingenuity, as it appears may have been the case with the Equifax breach. Whether through a web exploit, social engineering or a phishing attack, every company has at least one person who will click on anything, so building a layered approach to security becomes critical in dealing with particularly sensitive data.
In the absence of security education or experience, people (employees, users, and consumers) naturally make poor security decisions with technology. This means that systems need to be easy to use securely and difficult to use insecurely. This is a critical point and probably one of the single largest opportunities for security programs to be revamped. Make it easier for your end users to do the right thing than the wrong thing. Specifically, create policies, rules, and IT controls that make common sense and make it easier for your end users to do their jobs effectively with the systems and controls that you want them to use. Finally, the Federal Trade Commission has offered guidance to individual consumers that will allow them to check to see if their personal data may have been compromised as part of the Equifax breach. https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do Please remember to read the instructions carefully, and don’t just click on anything!
In conclusion, in our data driven economy we can expect to see a rising flood of security breaches around the world, particularly when it comes to valuable sensitive and personal information. This is because data is money. Privacy is like a series of dams that we try to set up to control what we share with whom. Education, technology, and proper controls can help make sure the “flow” of information is controlled, intentional, purposeful, and thoughtful rather than something that becomes destructive to the greater good. Trust is something that companies must work to establish with consumers every day. Once lost, it is very difficult to regain. Equifax will have a long road and expensive journey to recover that trust (their stock price plummeted on news of the breach) — a good thing for other companies to consider as they look to justify their security spending.
Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection, and security programs. She manages a global team of subject matter experts that provide executive level consulting, research, and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Ms. Simberkoff is responsible for maintaining relationships with executive management and multiple constituencies both internal and external to the corporation, providing guidance on product direction, technology enhancements, customer challenges, and market opportunities.
Ms. Simberkoff has led speaking sessions at data privacy and security events around the globe. She was featured in Forbes, writes a monthly column for CMSWire, and was highlighted in the CSO Online list of “12 Amazing Women in Security”. She is a current member of the Women Leading Privacy Advisory Board and a past member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP). Ms. Simberkoff holds a BA from Dartmouth College and a JD from Suffolk University Law School.
LinkedIn: www.linkedin.com/in/danalouisesimberkoff/en
Twitter: http://www.twitter.com/danalouise