Recently, Equifax announced a settlement with the FTC regarding the breach of its corporate network in 2017. We wrote about this in January of 2018 and described this breach as “one of the most extensive and intrusive data breaches in history” and we asked the question “Could it happen again?” As we’ve seen over the last 18 months, the answer is Yes, with large and small companies having to shell out huge sums in fines, penalties and damages. But this breach, and the penalties that Equifax had to pay, would have been much worse. Because as bad as Equifax was at protecting its data, there was one thing that Equifax did right that saved it hundreds of millions if not billions more.
How Equifax Was Breached
The first thing to understand is how important it is to be vigilant about your company’s Cyber Security. As we wrote in 2018, in testimony before Congress, Richard Smith, the CEO of Equifax, apologized for the incident and claimed that the breach had been traced to a single employee’s refusal to listen to security alerts and implement crucial software fixes. In a nutshell, they didn’t update software with a known security flaw to a newer version. As a result, 143 Million Records were breached.
Do you have any staff members who are less than willing to comply with your company’s Cyber Security policies? Even if damage to your company isn’t likely to reach $143 million, wouldn’t a few hundred thousand dollars in remediation expenses, plus a million dollars or more in fines hurt your company’s bottom line?
The answer is most likely Yes.
What Equifax Did Right Helped Save Hundreds of Millions More In Fines
Even though other areas of Equifax’s cyber security may have been lax, there was one part of their ongoing efforts that helped them tremendously. Once the breach was determined, they were able to identify which records were affected, and what data from each record was exposed. They were able to do this because of what Equifax did right: They had comprehensive logging of all of the activity on their network.
In a system like Equifax’s (and like we install for many of our own clients). every time a record of data is accessed -- whether viewed, exported, referenced or edited -- a log record is written of this activity.
Equifax has records of nearly a billion consumers, but they knew that records for only 143 million were breached. As a result, fines and compensation are based on this number. Without their comprehensive logging, they would have had to pay based on every single record in their databases, which could have greatly increased the penalties.
Cyber Security Is Always Changing
Because cyber crime is always changing, Cyber Security must also change, too. There is no such thing as a “set it and forget it” Cyber Security policy that will protect you in the long run. Cyber security must be constantly analyzed and improved in order for it to be effective. Software evolves, gets old, becomes deprecated (like the current crop of Microsoft programs that will unsupported in January), and becomes a security risk. Even hardware and software that is still in use and supported by the manufacturer needs to be consistently updated and maintained. And of course you can never predict the actions of individual personnel when challenged by a clever social engineering attack.
So what Equifax did wrong was to not respond to a new vulnerability. But what Equifax did right was to have comprehensive logging. This gives them (and you) the ability to help detect attacks before they become successful, and determine how widespread they are in the event the attacks ever do succeed.
What To Do Next?
So what is your take away from this Equifax Breach and Settlement? In a nutshell, learn from what Equifax did right. First, you should definitely check to see if your data was compromised by the Equifax breach, and take steps to protect yourself, your personal data if your data was breached. But while it may be helpful to claim your share of the Equifax settlement, installing a proper cyber security logging system -- especially one that is linked to an SIEM (Security Information and Event Management system) that continually analyzes the logging data -- can be far more helpful to you and your company.
If your own company’s cyber security plan doesn’t yet include logging, then it’s time that we talk. Digital Uppercut is a specialist in Cyber Security. Logging, and SIEM systems for companies like yours. Contact us online or call us today at 818-913-1335.