Lessons Not Learned from Target – Why Equifax Type Breaches Will Continue.
It’s hard to believe the massive data breach at Target that cost their CEO and CIO their jobs occurred almost four years ago. It was a very high-profile data breach that should have put all C-suite executives on notice that if you fail to protect your customers data you will pay dearly in many ways. First, you will lose your job. That’s personal. You get to carry that scarlet letter on your resume for a while. Obviously, brand gets tarnished, fines are levied, lawsuits pile up, stock price takes a beating, employees are terminated and investors scream. Most importantly, customers are left to deal with the lingering effects for years to come. However, what made the Target breach noteworthy, among other things, was C-suite players actually got canned over it. No deflecting or rolling the blame downward in the organization for this one. Usually, if it costs the CEO their job, other executives should pay attention. The Target breach was an incident that should have sobered up all organizations to reality of cybersecurity and its consequences.
Alas, it would seem with respect to data security, sobriety is a fleeting condition.
Fast forward to 2017 and it is the golden age of the hacker. Breaches, like what happened most recently at Equifax, the Securities and Exchange Commission, and Deloitte seem to be occurring at record pace. Many of these exploits have commonalities such as being completely preventable and going undetected for extended periods of time (scary). Sadly, it is the most fundamental, mundane security procedures that weren’t not followed or effectively executed that allowed the bad actors to gain access. You can spend thousands, even millions of dollars on sophisticated cybersecurity solutions, but if you don’t execute the basics well you may find yourself in the hot seat. For Equifax, it was failure to apply a free patch for a known security hole for a web app. Think about all the details around firewall rules, access control and management, etc. It is no wonder some items get missed. Traditionally, security has been left up to the network teams. Endpoints, firewalls, IPS, and so forth. All important, but that’s table stakes with respect to a comprehensive security strategy. After all, what are these sophisticated bad actors trying to steal? Your data. Access to your network is simply a means to that end. To that, it really only matters if they actually get the data out. Data exfiltration is what needs to be prevented.
As an affected customer of the Equifax breach, I have received messages and read all about how Equifax is sorry, how they have formed special committees, reassessed policies, fired key executives and so on. All cold comfort for me and I’m sure others affected. If my data was so valuable and my privacy so important one would think all this attention on security would have been more appropriate before a breach. As details of the Equifax breach continue to pour out, it will only serve to reinforce that security should not just be a marketing buzz word. Just saying you are doing it, does not mean you are doing it well. Security, like learning, has no finish line. It is never complete. It is a continuous strategic battle against a horde of invisible cyber villains. It’s 24×7. It’s 365. It is also the cost companies bear if they want to profit off individuals’ personal information. Accordingly, mishandle this valuable asset and suffer the consequences in the public domain. This would seem like a lesson that should have been learned years ago. It would seem the 1905 quote from philosopher George Santayana is still very much appropriate.
“Progress, far from consisting in change, depends on retentiveness. When change is absolute there remains no being to improve and no direction is set for possible improvement: and when experience is not retained, as among savages, infancy is perpetual. Those who cannot remember the past are condemned to repeat it. In the first stage of life the mind is frivolous and easily distracted, it misses progress by failing in consecutiveness and persistence. This is the condition of children and barbarians, in which instinct has learned nothing from experience.”
Let’s hope the Equifax lesson sticks.