May 30, 2019

A major ratings agency has stripped consumer credit bureau Equifax of its stable investment rating, downgrading the company’s outlook to ‘negative’ on the continuing fallout from its massive 2017 data breach.

Equifax suffered what is still one of the biggest data losses in history, exposing the detailed personal and financial information of 148 million people in the US, Canada, and UK.

A series of class-action lawsuits ensued which still threaten the company’s future earnings. Analysts reckon that Equifax – one of the world’s largest consumer credit data firms – has already lost ca. $1.4 billion in costs and lost revenues as a direct result of the hack.

It’s thought to be the first time that a breach has factored into an investment agency’s guidance to investors.

An act of cyber self-harm

Scrutiny by a US House of Representatives Oversight Committee determined that Equifax had left the door open to hackers by failing to implement a publicly available security patch to one of its servers. The vulnerability had been announced by the US Dept. of Homeland Security some months before.

Attackers used the vulnerability to gain and retain access for more than two months, moving laterally across various systems after they found an unencrypted list of passwords. It let them in to more than 48 databases holding unencrypted consumer credit data.

During their time on the network the hackers made more than 9,000 database queries, downloading data 265 times. All undetected.

The company waited six weeks to disclose the breach. Then its former boss tried to blame a single IT staffer for failing to add the patch in time – something the House Oversight Committee rejected outright.

It called the company’s cybersecurity systems outdated and full of vulnerabilities, and its attitude to data security ‘cavalier’.

So before and after the breach, Equifax did itself no favours. In that sense it’s in good company. Some of most spectacular cyber fails of the last few years have been entirely down to human error.

Cyber-risk goes mainstream

What Equifax’s two-year breach hangover tells us is this:

  1. The damage caused by a breach goes well beyond the short term costs of remediation and plugging up exploits.
  2. Hacking has become normalised as a business risk – though one that still that hasn’t been fully embedded in strategic plans and daily operations.

A few weeks ago we write about tech company Slack telling investors that breaches were a standard business risk that could affect its operations and earnings in the coming fiscal year.

‘These threats are impossible to entirely mitigate’, it said in a pre-IPO filing, listing cyber attacks alongside generic investor worries like limited operating history and ability to retain customers.

That speaks to a new maturity in the way organisations understand cybersecurity and factor it into results.

Most large insurers have stopped lumping cyber-risk under traditional property-casualty policies and now offer standalone cyber insurance.

While on the accountancy side, the Centre for Financial Professionals says cyber risk is now the number one concern for businesses, with 80 percent of its members saying they would decline a business relationship based on a partner or vendor’s poor security performance.

It’s not hard to understand why.

Consumers are becoming more aware of how well or poorly the companies they give their custom to treat personal data. They will quickly abandon a brand following a major security incident.

What can you do?

Human error enabled the Equifax breach, but pointing the finger at individuals is the wrong reaction. Leaving systems unpatched on a major and well-publicised exploit points to failures of awareness up and down the organisational hierarchy.

It indicates a failure to empower people fully.

What Equifax, and in fact most hacks tell us about cyber defence is that the signs of an attack on an organisation’s network are often directly observable (9,000 queries in two months), and detectable when people have been taught to spot the signs of a breach on the network.

As the financial community normalises cyber risk, businesses need to normalise it in day-to-day operations by building up a culture of security awareness.

Businesses and cybercriminals are locked in a long-term struggle where the weapons and tactics change almost weekly. Unless someone invents a cyber magic bullet that finally makes devices and networks impenetrable, treating cyber risk as a daily management challenge – and enlisting your own people to help – is the safest route to secure systems.

Want to learn more about empowering employees with security awareness training?  Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: