One of the biggest news items this week in the world of security is the Equifax settlement with the FTC. The Equifax data breach was one of the biggest ever reported, affecting over 150 million customers. Equifax was accused of failing to fix a patch to its network that resulted in the breach. As a result, Equifax is now paying settlements up to US$700 million to the FTC. In a statement, FTC Chairman Joe Simons in a said, "Companies that profit from personal information have an extra responsibility to protect and secure that data. Equifax failed to take basic steps that may have prevented the breach."
So what can we learn from that situation and how can we stop similar breaches happening in your organization? Let’s look at 5 lessons learned from the Equifax breach:
- Companies need to take a more holistic approach to their security programs. It should go without saying, but securing your customer information has to be a priority. Equifax didn’t just fail to secure its network leading to the breach, it failed in its response to the breach also. But worryingly, Equifax is not alone, with some industries worse than others. A recent report shows that 56% of health providers are still running outdated systems, some that don’t even allow security updates. “Healthcare organizations use internet-connected devices and software that aren’t always designed or updated by vendors to run the latest Windows OS, leaving them more vulnerable to malware such as WannaCry,” the researchers wrote. Security is not just about technical controls, it is also imperative to have administrative procedures in place so that technical and physical policies are monitored.
- Conduct a security risk assessment now - don’t wait! Avoidance will not help the issue. Companies must show that they have taken reasonable and adequate steps to protect personal health information. As a starting point, all available patches should be installed and systems upgraded to the latest versions available as quickly as is reasonably possible. While there may be legitimate reasons why patches get delayed, these must fit within an agreed policy, where the risks are clearly understood and mitigation strategies implemented. Risk can never be eradicated, but it needs to be understood and brought to within a reasonably acceptable level.
- Implement an incident management policy. Of course the goal is to avoid breaches, but it is naive to expect they will NEVER happen. According to the 2019 Ponemon Institute Study on the Cyber Resilient Organization, 57% of organizations experienced a breach of some kind in the past 2 years. And according to IBM, on average, companies take about 197 days to identify and 69 days to contain a breach. Given this an incident response plan is critical. According to news reports Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data. Companies should have a documented plan in place for dealing with a security breach. All departments involved should know what action to take. When asked about how to handle a data breach these experts cover all the bases from communication, understanding the root cause, and being proactive rather than reactive.
- Educate employees. As we have learned from the Equifax breach, network security and the personal information of your customers is a huge responsibility that must be handled with adequate security measures. Make sure your employees are trained to handle sensitive personal health information. They should also receive regular training and reminders about “phishing” attacks and other ways that hackers try to steal valuable information. Have policies in place to help employees manage the security of the information they handle.
- Work with an expert to make sure your company has a secure and robust security program in place. Small and medium-sized businesses are just as vulnerable as companies the size of Equifax. Don’t know where to start? Ostendio can help you get started and build a program that maps against hundreds of security standards worldwide.
Equifax might be the example of the week for data breaches but the protection of personal information is a long term concern. In 2018, the healthcare sector saw 15 million patient records compromised in 503 breaches, three times the amount seen in 2017, according to the Protenus Breach Barometer. At just over halfway through 2019, there are potentially more than 25 million patient records breached. Europe recently introduced GDPR and California is following with the January 2020 introduction of CCPA, making security a boardroom level issue for all companies. Rather than waiting for an Equifax-type situation to occur, companies should be taking a proactive look at their security program now and taking positive steps to manage their compliance and risk.