In Equifax Data Breach, Three Hard Lessons in Risk

As the story of the Equifax breach unfolds, it has the potential to have as signHow much security risk can an organization accept before it’s on very thin ice? The equation is simple: decide how much money it will take to reduce the risk, and how much more money an organization will earn by accepting that risk. Credit monitoring agency Equifax presumably decided that accepting a large amount of risk, in hopes of making a larger amount of money, was a good gamble. In the case of the massive data breach, Equifax lost that gamble badly.

As we now know, the most amazing thing about this utter disaster is that it didn’t need to happen. The breach was completely avoidable. Equifax was compromised through a vulnerability that was discovered and fixed by the vendor months before it was exploited at the company. The solution was a simple security patch. There are three key learnings from a risk perspective that any CISO, CIO, or CFO should have seen coming on this breach.

Too Risky to Patch

Why was the Apache Struts patch not scheduled to be applied? I’ll wager the answer was that business leaders decided the patch was too risky to apply.  Even simple patches require people, resources and time to integrate, test and deploy.  There is always a risk a patch could take a system off line which of course could mean a loss in revenue and an increase in operating costs.  I would further wager Equifax management will fall back on an excuse to “pass the risk on to the business.” In this well-worn play executives allow each business unit to determine what risk is acceptable to them which eventually turns into “the risk of not meeting targets” vs “the risk of applying the right level of security”  From financial institutions to healthcare, I hear echoes of this same idea first hand. The pain of missing a bonus or a  goal is far higher than the intangible risk of being breached. No one is taking the big picture view on risk.

There is an irony here that cannot be ignored. Over seventy-five billion dollars was spent worldwide last year on security products and services, yet breaches keep happening. It does not matter what tools you have If you don’t take the time to understand what risks are involved in running systems that manage massive amounts of sensitive consumer data. For too long, organizations have whittled away at prudent security protocols (like testing, implementing, and monitoring) because they believe the steps will take a chunk out of revenue. Equifax is a perfect case study for this problem: The company had great revenue growth while keeping operating margins almost exactly the same between Q1 2016 and Q1 2017. Yet in the past year, organizations have been hit with some of the most devastating cyber-attacks we’ve ever seen, including ransomware attacks. When a company’s operating margins stay the same, how are they able to beef up their security? The answer is, they probably haven’t. 

Risk over Governance

In addition to a failure of risk management, we also have a failure of process (not to mention ethics). Consider that three executives sold Equifax stock after the breach was detected, but before it was made public. Either the executives in question (including the CFO) knew about the breach and sold their stock believing it would eventually tank, or they really didn’t know about it. If they didn’t know about such a serious breach, then the breach escalation process within the company was broken. That is a failure of leadership. If there was a breach escalation process and it wasn’t followed, it’s still a failure of leadership. If there was a breach escalation process, and it was followed, then the sale of stock based on insider knowledge is just plain criminal.