Equifax breach confirms need for NIST cybersecurity measures
The massive Equifax breach has dramatically elevated the national cybersecurity conversation. The heart of the issue is that companies like Equifax currently base cybersecurity spending decisions on the value that data has to their organization, rather than basing it on the value to the people whose data they are exposing to risk.
This breach is totally inexcusable. This wasn’t a technical assault – this was a simple access by hackers through a web application that was not properly secured. As cyber expert Brian Krebs said, “The credit bureaus — which make piles of money by compiling incredibly detailed dossiers on consumers and selling that information to marketers — have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers.”
This critical breakdown of internal defenses is no different than every major breach of significance in the past two years, but the sensitive information accessed points to extreme danger for the personal wealth and financial health of our economy. This is the 9/11 moment that the NIAC has been warning about.
Commercial enterprises represent the front line of defense against hacking, and the announced 143 million records compromised suggested that every family in the U.S. has been affected – and that looks to be confirmed. The bad guys now have your financial information, your employment history, present and past addresses – everything needed to steal your identity.
This constitutes a tsunami of personal risk to all U.S. citizens, not just the 44 peercent who were directly affected. The amount of information these firms hold, and the long-term effects of exposure are massive. How do you get a job or buy a house when the U.S. economy has been compromised?
This hits at the very foundation of the United States, and a breach of this caliber has the potential to freeze the credit reporting system, the banking system, and do major damage to the global economies as a whole.
How should we move beyond talk to take positive action? The government has clearly endorsed the use of the NIST Cybersecurity Framework (NIST CSF) to strengthen enterprises from this devastating caliber of risk by focusing on people, policies, and processes. All government agencies were recently mandated to analyze their cyber readiness using NIST CSF, and the same executive order recommended that critical infrastructure private companies follow suit. Had Equifax employed NIST CSF, this breach would not have happened.
Further, the government provides liability protection for companies who use NIST and technology vetted by the DHS SAFETY Act Office. These functions recognize the risk to the U.S. economy from breaches just like this – leveraging the SAFETY Act is no longer a suggestion, it is a necessity.
The FBI has been involved since the breach was identified in May, and Equifax’s offering of one-year protection for every citizen in the U.S. also suggests that the ripple effect of this breach may be even greater than we’re aware. With the massive epicenter of today’s announcement, it is reasonable to assume that every board of directors and C-Suite has also been breached. Perhaps now they’ll get serious about defending personal information – or suffer the severe financial, reputational and personal consequences now being faced by companies like Yahoo.
It is the fiduciary duty of every C-suite and board of directors to act with reasonable business judgment to protect the private information of consumers, and the fact that proper security measures were not set in place by Equifax, and they’ve held consumers’ information for weeks without notice, means that responsibility has not been upheld. The Equifax breach has taken us past the tipping point. It’s time for a cyber Sarbanes-Oxley.