Companies across the world will have a lot to learn about the handling of a major cyber attack following the Equifax data breach. With 145 million Americans affected and reports of execs selling off stock before announcing the breach to the public, it’s safe to say that Equifax’s reputation has been damaged significantly.
There is a period for analysis after the initial panic that comes with a major breach. However, there is still much to emerge from the Equifax breach. This is a huge opportunity for companies to watch closely, and evaluate the best course of action, should they find themselves in a similar position.
>See also: Equifax: The 143 million customer question
The news is likely to get much worse, as it almost always does. This will likely lead to some of the most high-profile post-breach legal action of all time due to the fact that entire identities have been stolen. Equifax must represent a step-change in breach mitigation and companies will need to begin to consider new ways to handle their security. It is likely that any organisation could experience a failure like this, and failure must be used as a step towards improving and ultimately, succeeding.
The situation so far…
Before we begin to look at best practice in the wake of a large-scale breach, it’s important to consider what we already know about the Equifax breach.
• Equifax identified unauthorised access to its systems on 29th July.
• They followed this up by hiring a forensics firm to investigate- which is still ongoing.
• About 145 million Americans and nearly 700,000 UK citizens have been affected.
• Around 209,000 US consumer’s credit cards numbers were jeopardised.
• Equifax claims that hackers were able to exploit an application vulnerability.
• An employee in Argentina had used admin/admin as the username and password for a tool.
The information stolen – social security numbers, birth dates, address histories and legal names – will allow criminals to commit identity theft, and unlike in the case of bank detail theft, this information cannot simply be changed.
Lessons to learn
A company’s ability to detect an attack is one of the most important factors to judge its security posture and team on. Based on the evidence already available from the Equifax breach, it’s clear that they didn’t have the appropriate processes in place to catch the attackers.
It’s often the case in incident response that companies have numerous tools in place to prevent and detect attacks, but still have a gap between the capabilities of these tools and the ability to use them in an efficient, joined-up way. This can happen for a variety of reasons, including lack of proper staffing, ineffective training, small security budgets and tools which haven’t been configured properly. This can often be the result of poor executive leadership and a lack of understanding regarding the requirements of risk management.
Security teams need to look at and comprehend vast amounts of information. Corporate systems generate a huge amount of information that organisations can utilise to protect their networks and data, but only if the tools are configured and optimised in the correct way.
>See also: Fighting the cyber war in the digital age
Then the individuals who are tasked with the monitoring need to be able to properly correlate the alerts they are examining with human activity. Such as, what do these alerts really mean? If this cannot be done at speed and scale, then any defence against an attacker will be useless.
Convergence is key
As in the case of Equifax, any large-scale breach which has a major impact on society and many, complex moving parts will likely end up in a legal battle. Disputes over who is responsible for keeping the data protected, and the degree of negligence are all likely to lead to a litigation. The loss of entire identities will only add fuel to the fire and increase the chances of long and painful court proceedings.
The questions companies should be asking themselves is how can they defend themselves in court after data has been stolen if it cannot be proven that you have taken the necessary steps to protect that data? How can an efficient investigation or incident response plan be carried out if there is an insufficient understanding of the kind of information housed by an organisation or even where that information is located? Finally, how can an organisation have control of the conversation in the aftermath of a breach when it emerges that the issue was there for longer and has had a worse impact than initially imagined?
This is why companies must move towards a more converged approach, and Equifax is the perfect example of how many professional disciplines have converged in a way that means it is difficult to determine where one begins and one ends. Areas of specialisation such as eDiscovery, digital forensic investigation and information governance are now closely associated with the concept of cybersecurity that it is now harder to justify distinguishing them as separate and distinct areas of focus anymore.
The road ahead
There is still a lot of work to be done to encourage organisations to blend information governance with cyber security. Whilst the prospect of legislative repercussions from GDPR is making a difference, it is a huge opportunity for firms across every industry to try to form a competitive edge as the firm that is secure and knows where all its data is.
Organisations should take a step back and become a ‘good shepherd’ of their data. This means protecting what you have and focusing security efforts. It’s imperative to know exactly what data you are dealing with and where it is. This helps organisations better protect themselves as they are able to distinguish between high and low priority data, and put the appropriate protections in place.
Not only this, but information governance also has positive implications towards post-breach litigation. If a breach leads to court proceedings, it is vital to be able to demonstrate that the stolen data was adequately protected.
In an ideal world, information governance and knowing where key data lies will help security teams to make better security decisions as well as being prepared for strict regulations such as GDPR.
However, there is still a long way to go before organisations across the board are implementing information governance best practises. So, until then, breaches are still likely to result in massive cost and reputational damage, huge investigations, litigation and in extreme cases, criminal action.
Sourced by Stuart Clarke, chief technology officer, Nuix
The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate