All of these authorities form an incomplete patchwork that means that even in the egregious situation we find in the Equifax breach, in which so many consumers are affected and it seems likely that the security practices of the company were insufficient, there may not be direct liability for failing to provide a basic level of security for consumers.
A week after it was announced, the whole world is still buzzing about the breach of Equifax that compromised sensitive data of 143 million Americans between May and July of this year and the damning fact that Equifax insiders had a chance to dump their stock and avoid inevitable losses before last week's disclosure. Equifax has responded slowly, inadequately, and often ham-handedly.
Equifax's seemingly intended to follow a basic crisis communication playbook but go one better than companies and other organizations that have lost large sets of personally identifiable information (PII) in the past have done by offering "free" identity monitoring services to all consumers (not just those affected) for a period of time. Unfortunately, many have figured out that those services are backward-looking and don't do anything to prevent identity theft. (Try a security freeze instead.)
While there is a tendency to think that data breaches happen all the time and that it is not that big a deal, this data breach is not business as usual and users should not be complacent about it. There's a ton to unpack in this but let's start with the immediately actionable. I will follow-up with posts on the policy implications of the breach, color commentary, and lessons we have hopefully learned from this episode, but for right now:
What should you do?
Unfortunately, Equifax most direct, consumer-facing response––offering identity monitoring––fails to offer protection commensurate with the threat. Identity monitoring is a backward-looking service that doesn't prevent identity theft. In this case, the offer is also a form of self dealing. TrustedID, the identity monitoring service Equifax has offered consumers belongs to Equifax. Even though Equifax offers you that service for free, you will have to give Equifax, a company that monetizes information about you, more information about you in order to participate. Even if you never pay them any money, Equifax's currency is data and you will pay them in the coin of their realm.
The right way to protect yourself from identity theft before it happens is to freeze your credit file with all four credit bureaus (links: Equifax, Experian, TransUnion, and Innovis). (This will be hard with Equifax, which still finds its website oversubscribed. For those who don't know, Innovis is a lesser-known bureau but they keep a similar set of information about you so definitely freeze at all four companies.) Equifax is now waiving the fee for freezing your credit with them. Why is that not what Equifax offered immediately? And why doesn't Equifax offer to pay the fee at the other credit bureaus since a freeze at Equifax alone won't offer anything resembling comprehensive protection to consumers? Because they make money from having the easy and unrestricted capability to sell and market with your information. Freezing your credit and opting out of the ability of the credit bureaus to share your information with marketers (the ones who send you all those free credit card offers) impacts the credit bureaus' bottom lines and business models. They will only be dragged into making this easy and obvious to Americans kicking and screaming. So, you can understand why they do not want you to get a freeze or opt out but you now know why it is entirely in your interest to do it.
That's a good start for what you might want to do. I doubt that I've offered more or better advice than many other commentators but this advice needs the broadest possible distribution so here it is. Feel free to share widely. I'll be back in the next days with additional thoughts about Equifax, breaches, privacy, and cybersecurity.
A recent post on cybersecurity got me thinking about the nature of the approach of many organizations to protecting their networks. Citing the old terrorism adage (adapted for cybersecurity) that "[t]he attacker only has to be right once, we have to be right every time," the author accurately asserts that cybersecurity is part of the responsibility of everyone in the organization. It is definitely valid to conclude that an active, engaged training program connecting cybersecurity to the everyday responsibilities prevents successful attacks.
I have a significant concern with one premise of the argument, however: that the story is over once an attacker is in your network. Instead, organizations need to adopt an approach to cybersecurity in which an incident is never the end of the story. While every cybersecurity professional will agree with the goal of keeping attackers out of our systems entirely, in reality, no matter how good your measures of protection and the training of your staff, some attacks will succeed. The time to take action is before the successful attack happens. Planning for the successful attack isn't defeatist, it is essential.
So what does planning for a successful attack actually mean? One oft-discussed aspect is known as defense-in-depth––building a network in which one stolen set of credentials will not open the entire system to compromise. Such a defensive set of procedures is part of the answer. But the defense-in-depth approach merely deepens the the perimeter defense mechanisms that we're already assuming have failed.
Turning the paradigm on its head, how do you handle an attack that has circumvented the full scope of network defense that your organization has put in place? At that point, the resilience of your information systems will determine the success or failure of your cybersecurity policy. Here are some building blocks for increasing resilience:
- Encryption for data that would allow you not only to prevent the release of such information in readable form but also to allow you to verify that the copy on your servers or in your backup has not been changed.
- Backup systems that allow you to roll systems back to pre-attack status combined with the imaging of endpoints to ensure that you can move to replacement equipment with minimum time off-line.
- Conducting drills on these efforts to make sure you know how to use them and that your personnel can operate in a compromised environment and use the recovery tools that you have put in place.
When implementing resilient cybersecurity practices, the devil is in the details because adopting approaches like these require time and expense:
- Perhaps your organization has already put some of these processes in place with mixed results.
- One or more of these approaches may hamper your organizational workflow by restricting your employees' efficiency.
- Regulatory constraints may limit your organization's ability to implement certain types of security practices.
Can you determine the resilience of your current cybersecurity approach? How can your current cybersecurity budget best be deployed to ensure a quick recovery from a successful attack? The Foresight Information Audit is one way of starting the planning process for a more resilient system. Click here to learn more about the Foresight Information Audit.
Do you have examples of how your organization has improved its cyber resilience? Share your stories and questions in the comments below.
There are as many approaches to giving advice on cybersecurity as there are cybersecurity consultants. Fundamentally, there is a theme almost all approaches share: cybersecurity problems boil down to getting basic things, often collectively referred to as cyber hygiene, right.
Doing basic things right is great advice but you still have to figure out how to do those things in your organization. That is not so simple. A number of questions immediately arise:
- What do I tackle first?
- How do I know that what I do now will stay done next month/quarter/year?
- How much will it cost?
Doing basic things right also has to integrate with all that you have already done to ensure cybersecurity, much of which may be running in the background. And changes cannot interrupt your organization's workflow, since that workflow is what your organization is actually in the business of doing. So, from feeling overwhelmed about the cybersecurity issue to realizing there are a discrete list of basic things to do we've quickly come full circle to a place where you're feeling overwhelmed again.
In order to take control of this vicious cycle, you need to get a handle on your organization's cybersecurity posture and develop a target profile for where you need to be.
- Grasp the costs to your organization in the event of a cyber "bad day" and the likelihood that day arriving so you can prioritize protection and resilience activities on a proactive rather than a reactive basis.
- Analyze potential solutions to measure what risk-reduction your getting for those prioritized protection and resilience activities.
- Measure the benefit and maintain those metrics to see improvement over time as you adapt to changed circumstances in your business environment, human resources, and the broader cybersecurity environment.
Cybersecurity is not just about buying another IT system or software package but about taking the time to make sure you are focusing on your outcomes and determining how you can manage the uncertainty that may undermine them in your organization.
When you are ready to take the next step in your cybersecurity approach, contact us.