There once was a business called Equifax
A company that stored all of our facts.
Perimeter breached, our data released
American’s exposure increased.
Beneath all the risk, what good could exist?
A lesson for each business to subsist.
Terrified by their breach discovery,
Dumbfounded, grasping for recovery,
Equifax stayed quiet, delaying riot,
Before finally making their fiat:
“We have been hit, the attack was legit.
But now our lawyers demand you acquit.”
The Equifax breach was made public almost a month ago. Beyond the scale of the breach – almost 150 million Americans were compromised – the type of data was of even greater concern. Social security numbers, addresses, and drivers’ licenses numbers were all captured by the hackers. While this breach has serious consequences for individuals, the aftermath offers an important lesson for businesses – how not to respond to a security breach.
For a long time, cyber security has been synonymous with protecting sensitive data. That usually means web filtering, SPAM blockers, Anti-virus, and other perimeter tools. However, in recent years, more organizations have recognized that cyber security doesn’t stop at “protection.” What do you do if protection methods fail?
There are a number of phases to consider as part of a complete cyber security strategy, but the most obvious one that Equifax fumbled is Incident Response. A proper Incident Response Plan details the roles, responsibilities, and actions that should take place immediately after the discovery of a security breach. A proper Incident Response Plan can minimize data loss and, especially for high-profile companies, public blow back.
If you’d like to read more about the finer points of developing an Incident Response Plan, check out our blog post from earlier this year.
Incident Response for Awful Incident Response
While I think our consistent reinforcement is helpful, the recent Equifax breach reminded me of the unrivaled value of real-world examples. In the immediate aftermath of the announcement of the Equifax breach, here’s what we learned:
- The breach occurred 6 weeks before the public was notified
- Several executives sold company stock prior to the public learning of the breach
- Equifax offered free credit monitoring, but only if you opted out of filing a lawsuit
- Equifax created an easily-spoofed website for customers to find out if they were impacted, opening people up to greater security risks
The events detailed above signify an organization that had a, at best, a poorly designed incident response plan. While the breach is devastating by itself, Equifax’s response has further eroded the trust between themselves and the public that rely on them.
If there is one thing that we can take away from the Equifax breach, it’s that the time to build an Incident Response Plan is not after you’ve been breached, it’s now. If you’d like to learn more about securing your sensitive data or developing an Incident Response Plan, we’re happy to help. You can email us at firstname.lastname@example.org or give us a ring at 630.832.0075.