On Sept. 7, Equifax revealed that 143 million Americans and an unknown number of U.K. and Canadian residents had potentially been affected by a data breach. The fact that the company had actually learned of the breach in July and waited nearly two months before making it public made news of the breach and its scale all the more troubling.
As one of the three major consumer credit reporting agencies, Equifax stores some of the most valuable consumer information out there, including Social Security numbers, birth dates, credit card information, and driver's license numbers. From approximately mid-May to late July, hackers gained access to this information
through a software vulnerability in the company's website, marking the third time that Equifax has been targeted by cybercriminals since 2016.
While data breaches are becoming a frequent part of our monthly news streams, the scope and severity of the Equifax breach illustrates just how vulnerable consumers are to an organization's digital security (or lack thereof) platform. No one can predict exactly where, how, and when the next breach will occur, but the oversights in Equifax's governance structure and its poor cybersecurity planning are details that all organizations and leaders can learn from.
What Went Wrong at Equifax?
We can analyze the Equifax breach on two levels: The first is a lower level, such as a failure to patch servers, and the second is at a higher level, such as evidence of a weak cybersecurity governance structure.
At the lower level, this data breach reminds us that the procedures around patching and protecting consumer information must be in place. In the case of Equifax, the root cause could've potentially been avoided had the company utilized vulnerability scanning and patching.
At the higher level, and evidenced by the fact that this attack wasn't the first, this incident highlights a misstep in both a sound governance structure and also the policies and procedures that protect structured and unstructured data. The irony is that this "protection" is the core of Equifax's business: The company has been entrusted with sensitive data for literally tens of millions of people and maintains this vast cache through, presumably, solid and secure procedures.
Evidently, however, Equifax's practices were severely lacking, a fact that points even more directly to a weak governance structure and indicates a straightforward problem that — had it been properly identified during one of the first two attacks — could've been avoided. Compound this oversight with the delay in revelation, and we've witnessed an organization that is subject to (and has subjected its consumers to) major damages.
What Can the Equifax Breach Teach Us?
The good news is that an Equifax-type breach can be avoided. All organizations collect and manage sensitive information, but even those like Equifax that house the most high-value consumer information can follow these three strategies to keep their digital platforms and communications secure:
- Understand and achieve good governance. Board-level governance is essential for protecting against and, if necessary, combating cyberattacks. Not only do good governance practices ensure that your systems are up-to-date, but it can help you create an internal and external cyber-intrusion and communications plan. While it's true that an organization needs a bit of time to adapt its plans to the specific attack and verify that the information they reveal doesn't make them even more vulnerable, proper planning puts an organization into a position where time can be minimized, even when dealing with the amount of data Equifax does.
- Protect structured and unstructured data. Equifax needed to protect data across all channels of attack, which it failed to do. It’s estimated that 60 percent of breaches are introduced via email, making that channel a priority in terms of sensitive-data transmission and other workflows, as well as with regard to malware and phishing. These days, most organizations understand how to protect their core business information, but you also need to prepare your business for the next-generation attacks that consistently target email and other unstructured data.
- Utilize encryption for data at rest. Even with good governance and protecting both facets of data, cybercriminals can find a way to access exactly what you don't want them to. Thus, the ultimate fail-safe for a cyber-incident corporate-prevention strategy is to utilize encryption for data at rest. Recently, Zix acquired the Entelligence Messaging Server (EMS) for just that purpose, giving us a much stronger capability around this area of providing end-to-end protection.
A holistic protection strategy that plans for both the known and unknown is the only way to keep your organization and your consumers safe. At Zix, we understand this, because we also understand that breaches such as the one at Equifax are likely not going away.