Equifax lessons and the need for cybersecurity board governance
Last week Equifax announced one of the largest and most impactful data breaches to date.
Sure, we have had larger data troves of information hacked – Yahoo with 1 billion accounts, Target with over 70 million cards/persons impacted, and the Office of Management & Budget (OMB) with 21 million persons’ personal information, including SSNs, impacted, with the OMB hack being especially disastrous for those of us who have served in intelligence functions or other sensitive posts. However, in terms of risk, a successful hack of one of the three main credit reporting bureaus is about as bad as it gets.
Why so bad? Credit reporting agencies have all of our financial data, financial transaction and experience information, and payment history in one location. We pay so much attention to the loss of replaceable credit card information that we forget that the hack of SSNs is about as bad as it gets, as these numbers are really immutable and unchangeable.
Furthermore, these databases warehouse the backend engines for fraud analytics and knowledge-based authentication (KBA) information that serves to verify we are who we say we are. Those questions on what color was your first car or who was your first home loan with are derived from these data sets.
In the hands of hackers or identity thieves, this data is as good as gold and might allow other banking and financial systems to be less robust.
What should we focus on? Let’s talk about the response first. It was noteworthy that the CEO of Equifax appeared in a taped video statement to announce the breach; this is important from an accountability perspective. The desire to connect with consumers and anyone who is impacted is a step in the right direction and shows the intent to own the incident.
Everyone in cybersecurity knows that any company can be hacked, and the job is really about making identifying the attack, putting up as many preventive and detective controls as fit the risk model of the company, enabling business, and building trust and goodwill with customers.
Is there anything that went awry with the breach response? There will always be missteps made in any breach response. Sometimes these incidents have a life of their own, and the good people behind the scenes start to get tunnel vision or segment themselves so much that they miss easy-to-spot issues.
In the case of Equifax, we have several of these misses. First, never ask for six of the nine SSNs numbers to secure credit monitoring. I am confident this was related to some technical limitation of querying the database, but it still was a miss.
Second, issuing a PIN number that was the combination of date and time is sloppy and a distraction but probably not harmful as it can be changed and is less likely to be mathematically guessed – unless Equifax has no rate limiting on the portal.
Third, offering a solution that has the wrong terms or terms that are not meant to apply to the current situation (i.e. forcing people who accept credit monitoring into arbitration) shows the silos that exist in the company as it relates to breach preparation.
In a breach, everything you do is under the microscope, so issues will be found. However, the problem is not the issues but what they might illustrate – the potential lack of central cybersecurity risk and governance being led by the board of directors and C-suite.
So, let’s focus on that for a minute. We had several collapses of companies in the early 2000s which led to financial expertise, independence, and auditing being a must-have for publicly traded companies. Boards must have audit committees and at least one financial expert. In this day and age, every company is a cybersecurity company, in effect, and yet there is no mandate to have a cybersecurity risk professional on the board.
Now, I get that companies do not want “tech talk” on the board and that this is a bigger problem with CISOs. But ideally a board should have a cybersecurity expert who has demonstrated that they know the tech (but do not have to talk on it), a privacy expert, someone who understand the law and risk, and a person who will lead and enable business.
If we start with the board, leadership and tone at the top on cybersecurity, we might be able to have better understanding of cyber-risk mitigation, business enablement and the building of trust. But we must start there, and the Equifax breach is just one in a long line of breaches that brings this point home more clearly.