Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

April 2019
A report released by a U.S. Senate committee helped identify cybersecurity lessons that other companies should learn.
By David Hechler
AN AWFUL LOT HAS BEEN WRITTEN about the Equifax data breach over the past year. Can there be anything more to say?
     How about recommendations that executives should follow to avoid finding themselves in the same predicament, which cost many Equifax leaders their jobs? Would that be worth reading?
     In March, the U.S. Senate’s Homeland Security and Government Affairs Committee’s Permanent Subcommittee on Investigations released a report on the 2017 breach, which exposed the personally identifiable information (PII) of 145 million consumers. The report, titled “How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach,” included recommendations for government action—especially legislation. But it included no recommendations at all to help companies avoid the disaster that Equifax stumbled into. But it did provide plenty of material from which we have assembled eight recommendations for companies ourselves. 

A lot of the big lessons focus on the big picture.

1. AI can’t protect you unless you install it. Artificial intelligence offers great opportunities to enhance your security. But it doesn’t do much good if you don’t get around to installing it. Equifax decided to address some of its vulnerabilities using automated tools, which it intended to have in place by December 2016. They were still on the to-do list when the hackers broke through in May 2017.

2. Receiving tips on vulnerabilities only helps if you know what software you’re running. A lot of information is shared these days. When software vulnerabilities are identified, companies often receive swift warnings, sometimes from multiple sources. But you have to know what software you’re using to take advantage. Many companies compile IT asset inventories, but Equifax didn’t have one. It was continually growing by acquiring companies and integrating their systems. This made an inventory all the more valuable. Yet Equifax didn’t know it was running software that had critical vulnerabilities.

3. Information is worthless if it doesn’t get to the right people. Lots of Equifax employees had important information. There were meetings during which it could have been communicated. But senior leaders didn’t always show up. And important emails weren’t always forwarded to the people who needed to see them. There were failures of communication, but the larger problem seemed to be a chaotic organizational structure.

4. Patching should be treated as a crucial part of cybersecurity. It seems clear in retrospect that it wasn’t viewed this way at Equifax. The Senate report noted, tellingly, that the chief information officer who oversaw the company’s IT department in 2017 referred to patching as “a lower level responsibility that was six levels down” from him.

Other significant takeaways underscore the importance of paying attention to details.

1. When you lack basic tools, you may miss basic clues. Equifax did not have tools that identify changes to files. This fundamental capability would almost certainly have helped it identify the breach much sooner.

2. Beware of shortcuts that facilitate your work; they may do the same for the hackers. For their own convenience, some Equifax employees shared credentials in a file share. This made it convenient for the hackers, once they broke in, to travel from the initial site of the attack to other areas. Also, Equifax’s network was not segmented, which would have admitted users to certain areas but prevented them from unnecessarily accessing others. “The lack of segmentation was a conscious decision by Equifax to support efficient business operations and functionality over security protocols,” the report said. The hackers, no doubt, approved.

3. Patching should be prioritized according to risk. The threat that led to the breach had been identified as a very high risk. But it wasn’t treated that way. It was viewed as one of many. The Senate report quoted Mandiant on the problem that created: “If everything is critical, nothing is critical.”

4. And remember that for patching, timing can be everything. The best approach is to patch software proactively. The more reactive you are, the more vulnerable you will be. And the less time you will have to avert disaster. The chief information officer who oversaw the IT department only learned about the breach 19 days after Equifax discovered it.

     The final dozen pages of the 71-page report helps place Equifax’s failures in a larger context. It compares how TransUnion and Experian, the company’s two largest competitors among consumer reporting agencies, were able to avoid falling into the same trap.
     “Both companies had deployed software to verify the installation of security patches, ran scans more frequently, and maintained an IT asset inventory,” the report noted. When new vulnerabilities were identified, the companies responded swiftly and effectively.