Data security lessons learned from the Equifax breach
It was pretty much impossible to turn on the television, skim through social media or browse the headlines recently without seeing or hearing about the massive data breach involving Equifax that compromised the personal information of 143 million customers.
But there was one piece of the story that really stood out: Equifax allegedly waited months to fix a well-known security vulnerability in the software that powers its online customer dispute portal.
When it comes to data security and your company’s reputation, there is no time for waiting. Protecting your company and your customers’ data is not something you can put off, whether it’s down to budgets, seemingly more pressing initiatives, or simply the belief that “it will never happen to me.”
The truth is, the consequences of just one breach can be far too detrimental to your company, your shareholders and your customers. I classify the damaging consequences of breaches into three categories:
Isn’t it ironic that those who shortcut security measures may end up incurring costs far beyond the price of a security solution or compliance program that may have prevented the incident? That seems a bit like complaining about the price of motor oil, then never putting it into your engine until it seizes, and the repairs run thousands more than a quart of oil.
Indeed, the repercussions of a breach are so high that investing in the right data security is not your typical risk-return decision. In fact, the average cost of a data breach is $3.62 million, which takes into account financial losses, legal fees, auditing services, customer reparations, class action lawsuits and more. With Equifax, costs are already up to $4 billion. It makes you think: was putting off a security software update worth it?
Would you want to do business with a company who proved they cannot be trusted with your sensitive data? Reputational damage from a breach can be detrimental to a company’s future. It is much harder to save your brand than it is to recoup the costs of security incidents. A tainted brand image eventually leads to lost sales, as mistrusting customers desert in droves. In the fallout, your company stock price may plummet (Equifax shares dropped 18 percent just days after announcing the breach); and in a worst-case-scenario, you could go out of business completely.
Data breaches not only impact a company’s brand and bottom line, but also its employees. Whether you are a CEO, CSO, CIO, compliance officer or other security executive, a data breach can come back to bite you. In Equifax’s situation, CEO Richard Smith suddenly retired after the breach and the chief information officer (CIO) and chief security officer (CSO) resigned.
But, imagine if it was your fault for the breach (perhaps you were the one that advised the company to wait to install a software patch, or instructed your team to focus efforts elsewhere because your audit wasn’t due for another three months). If word gets out, it may be difficult to land your next job, particularly if you must explain why and how your procrastination put your former company at risk.
Why Wait to Secure Your Data?
With the risks of costs, reputational damage and job loss in mind, data security must be addressed today. While I could give you a list of best practices that will help (which is probably preaching to the converted), instead I’m going to leave you with one piece of advice: don’t hold sensitive data in the first place. It’s a simple notion, but extremely effective—cybercriminals can’t hack the data you don’t hold.
What do I mean by this? Consider whether your company is storing sensitive data in unnecessary areas of its business infrastructure. For example, if you have contact centers, you may be housing customer credit card data, social security numbers (SSNs) and other personally identifiable information (PII) – ripe for the taking.
Investigate the deployment of technologies that keep sensitive data segregated or completely out of your networks, customer relationship management (CRM) and enterprise resource planning (ERP) systems. This will make your organization far less vulnerable and less attractive to hackers, fraudsters and other cybercriminals. When you absolutely must store data, use tokenization to replace it with a meaningless equivalent for an added layer of protection.
If Equifax had not waited to fix a known security hole, and/or removed the sensitive data from its network in the first place, today’s situation may never have happened. We must all learn from their mistakes and act now to secure sensitive data. It could make all the difference in keeping your company out of the headlines as the victim of an inexcusable data breach – so, why wait?