Originally published on the 7th November 2017.
Over the past few years the companies either ‘fessing up or being outed by the media for data breaches has dramatically increased as has the scale of them. There persists for far too many companies, this fantasy that it will never happen to me, and rather than accepting the inevitability (in some form or another) and putting into place mitigation technology, they ignore the threat, tiptoeing down sniper alley as fellow corporates with similar attitudes drop around them.
A little over a year ago, Equifax were victims to a massive breach. Around 143 million American and 700,000 British citizens lost a variety of data including social security numbers, birth dates, addresses and even driver’s licence IDs. To make matters worse the way in which Equifax reacted and handled the breach was a lesson is what-not-to-do. Delayed disclosure in order to sell $2 million worth of stock shares by company executives demonstrates the unpreparedness, sheer dishonesty and bungling from the top tier of the company. Were Equifax serious about security? Their Security Chief was qualified as a Music Major whose login credentials were up for grabs on the dark web and the company database sign-on was set to admin/admin. Come on! Really? This is a company whose primary function is to deal with personal information and is one of the largest in the world!
In September 2018 the U.S. General Accounting Office (GAO), released a comprehensive report that examined the reasons for the breach and the company and governmental actions since the breach. Much was promised but very little has been done, $200 million was earmarked for additional security systems but the attitudes from senior board has not made any real changes in Equifax’s outlook, they seem entrenched in a one-hit-wonder mentality. Senator Elizabeth Warren commented on Richard Smith, CEO of Equifax that he was... “At best incompetent; at worst complicit. Either way, should be fired.”
Lee Child’s literary hero Jack Reacher’s quote “hope for the best, plan for the worst” is probably the best advice in security terms that a company can take. There are some simple and inexpensive steps to do; the simplest is to test your own defences with some form of Penetration Testing program, find out just where the weaknesses are and bolster these rather than throwing money at huge security infrastructures before knowing what holes in your defence actually are. We're currently running a free Network Penetration Test for up to 10 IPs, get in touch now. Failing that you could always get Jack on your side and put him in charge!