Using ERM to Protect Your Business from The Equifax Fallout
As with many data breaches, the general conclusion of the Equifax attack is that personnel were not aware of the issue beforehand. This conclusion, however, is false.
In early September, I anticipated that a vulnerability in Equifax’s software was known ahead of time, and that this scandal was, therefore, entirely preventable. A month later, the NY Times reported that the Department of Homeland Security sent Equifax an alert about a critical vulnerability in their software. Equifax then sent out an internal email requesting its IT department to fix the software, but “an individual did not ensure communication got to the right person to manually patch the application.”
The Equifax data breach was a failure in risk management. As a credit bureau that deals with the personally identifiable information (PII) of 200 million U.S. customers, Equifax has a legal and moral responsibility to safeguard their customers’ security, and to adopt the proper systems to do so.
For instance, if Equifax had an enterprise risk management (ERM) system in place, the warning from Homeland Security would have been properly recorded and assigned out to the appropriate personnel. This system would have provided transparency over the status of the task in progress, and would have triggered reminders until the vulnerability was patched and verified by the right subject matter expert.
A Point of No Return
It’s my opinion that this scandal is a point of no return for risk management. While data breaches have abounded in recent years, there has never been one of this magnitude or one that provides every piece of information hackers need to steal our identities. Of course, lawsuits and penalties are piling up around the company’s negligence, but these financial losses are nothing compared to the reputational damages Equifax will suffer—shares fell by 18% following the breach and have yet to fully recover.
What makes this scandal so unique, and therefore a point of no return, is that these reputational damages reach far beyond Equifax. Consumers can’t always choose whether they’re a customer of Equifax, but they can choose whether to do business with the institutions that gave away their information to Equifax in the first place.
I also believe that consumers’ outrage with this scandal will cause them to shift their money, loyalty, and trust to institutions that can demonstrate effective risk management. CEOs and boards of every company will have to prove their organizations have adequate enterprise risk management systems in place. They’ll find that more effective risk management and governance programs are necessary to keep their market shares up and their reputation clean.
Where to Go from Here
While this breach may appear to be an event of the distant past, we are in the eye of the storm. Stolen information can lie dormant for months or years as criminals wait to make their move, and when they do, you’ll have either taken this period of calm as a chance to forget the scandal, finding yourself ill-prepared, or a chance to get to higher ground, finding yourself fully protected.
To protect themselves, businesses must:
First, to determine where to focus your security resources, recognize that people, processes, and procedures are now the biggest risks. Businesses need to perform risk assessments across all departments to determine who has access to sensitive information and authentication processes, and what the business impact would be if these employees were to be impersonated.
Next, to address these risks, businesses must rewrite their procedures for authenticating the people involved in sensitive requests and actions both verbally and electronically. With so much PII now in the public domain, it is no longer safe to rely on traditional authentication based on these pieces of information. For example, the security question “What was your first car?” is not effective because the answer is now easily accessible. A more effective question would be “Who was your best friend in elementary school?”
Finally, it is important to keep your third-party vendors in mind. Vendors often have access to sensitive information and processes, which could have an enormous impact on your company. It is crucial, therefore, to extend your internal authentication procedures out to your third parties so that they are authorizing sensitive requests and actions as securely as your own organization.
Our world, including the business world, is becoming increasingly transparent, meaning it’s up to you to act with integrity and protect your stakeholders. Keeping the Equifax data breach in mind, along with enacting these tactical steps, will help you stay ahead of the competition and out of glaring social media headlines.
Steven Minsky contributed to this article.