Lessons From the Massive Equifax Cyber Breach

Comments Views

​If you are not familiar with the breach, read this first: Massive Equifax data breach exposes as many as 143 million customers.

The management team (and implicitly the board) has come under attack for their handling of the situation. See this article, for example.

The attacks appear justified.

For example, the breach was discovered on July 29, but the company only disclosed the issue to consumers and others last week. Six weeks of continuing exposure!

The breach occurred as early as May but was not discovered until the end of July.

Apparently, the company didn't even inform all its executives, and three sold shares in the company after the breach but before the disclosure. See this.

Equifax made available a tool that helps consumers find out if they are affected — but according to reports it doesn't work.

The "experts," including those responsible for providing guidance and frameworks, typically emphasize two aspects: prevention and response.

Both prevention and response are clearly highly important.

But it should be apparent to everybody that it is next to impossible to keep hackers out indefinitely.

Prompt detection is crucial!

That should be followed with the abilities to: a) get the hackers out, b) know how they got in, c) know what damage was done, and d) effect necessary repairs.

My question for every CEO, chief financial officer, chief information officer, and board member is this:

Is it realistic to expect your team to …

  • Understand the risk to the business, even as it changes dynamically?
  • Make the right decision as to whether or not to use a specialist firm to manage protection and detection?
  • Stay abreast on the changing nature of threats and so on?
  • Manage the risk to the business at acceptable levels?
  • Do so in a way that complies with legal, regulatory, and societal expectations (e.g., not launching illegal attacks on hackers overseas)?


I welcome your comments.

Please join the discussion by clicking the Subscribe button, below.

 

 

​ 

The opinions expressed by Internal Auditor’s bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.

 

 

Comment on this blog post

comments powered by Disqus
  • MNP_Natonal Can Conf_Sept2017_Blog 1
  • SCCE_Aug2017_Blog 2
  • IIA CERT-CPEA-AFW_Sept2017_Blog 3