In 2017, the world of security was rocked to its core when a major story broke about one of the Equifax Data Breach – the largest data breaches ever reported. The credit reporting company Equifax had failed to take the necessary steps to protect its network, affecting over 147 million people across the United States. Then in 2019, Equifax agreed to pay up to $700 million in settlements due to their negligence.
It’s been years since the breach, yet the ripple effect is still making waves throughout the world. With the rise of new technologies, cloud-based products, and stronger legislation because of the Equifax data breach, it’s now more important than ever for organizations to learn from this event.
Here is what you should learn from the Equifax breach and what your organization can do to not make the same costly mistake.
1. Legacy Systems Don’t Cut It
Legacy systems, especially regarding cybersecurity functionality, are not equipped with modern technology features. When a company builds its entire network around outdated systems, it leaves multiple vulnerabilities that can be exploited and lead to breaches. And while Equifax had recognized the risks of operating legacy IT systems and had begun a legacy infrastructure modernization effort, they were too late.
Another point of legacy systems to consider is the ability to update. Often, these outdated systems do not allow for upgrades that are timely and critical to business needs. While many organizations lack the capability or resources to outright modernize IT systems integral to business, the “due diligence” of ensuring they are protected ultimately should be a major focus.
Attrition and the reduction in employee knowledge of the legacy system was also a contributing factor. As the workforce aged, fewer and fewer employees were able to take care of the environment, which created a bottleneck and did not allow for a comprehensive look at the system.
In the end, a House Oversight Committee report found that ”Equifax’s Patch Management Policy relied on its employees to know the source and version of all software running on a certain application in order to manually initiate the patching process. Therefore, the lack of visibility regarding Apache Struts use in the Equifax environment greatly increased the likelihood an unpatched vulnerability could go unnoticed.”
2. Conduct Security Risk Assessments Often
Avoiding the issue won’t simply make it go away. It was revealed that within Equifax, “…the lack of an official designation for the system owner and application owner meant there was no mechanism for ensuring either person followed this subscription requirement.” Meaning that the responsibility within the company to address vulnerabilities was not clearly defined, leading to a lack of accountability.
It was also revealed that certain vulnerabilities were not adequately tracked, prioritized, and monitored. The fact that the attack lasted for 76 days before being found furthered Equifax’s data breach woes. While the breach happened in May of 2017, it still took the company six weeks to divulge to the public that the attack had occurred.
Not only should security risk assessments be completed often, but the education of employees on a security risk response plan is equally vital. It is a necessity to have system owners that understand a clearly defined process when it comes to patches in systems. Conducting security risk assessments can produce some eye-opening critical issues, but it also comes down to the management of these issues. All departments involved need to understand what action to take next in the event of a breach.
3. Restrict File Access to Certain Roles
Not everyone in your organization needs to handle sensitive data. While there is a heightened effort to democratize data across departments, there should be significant safeguards in place to guard against sensitive data leaks. Employees only need access to what they need for their job.
File systems must be restricted to only allow certain employees, or roles to gain access to business-critical files such as configuration files, and files regarding sensitive customer data.
4. Incident Response
According to IBM’s Cost of a Data Breach 2022 Report, organizations that have an incident response team and regularly test their IR plan saved on average $2.66 million annually.
Further reports found that “Equifax employees were unable to respond adequately due to a failure to implement basic cybersecurity standards, which prevented Equifax from complying with its own internal policies and procedures.” With decisions being made too slowly, incidents only get worse.
No matter the size of an organization, time should be taken to practice mock incident response plans. Routinely doing so can highlight any issues with the current plan. This also helps to educate employees on the roles and responsibilities they play during an actual incident, which can help speed up the response time.
5. Policies, Procedures, and Processes
It’s clear that Equifax lacked clear processes in place for the management of vulnerabilities and patches. What’s more damning is that a House Oversight Committee report noted that “At Equifax, the IT and Security organizations were siloed, meaning information rarely flowed from one group to the other … Communication and coordination between these groups was often inconsistent and ineffective at Equifax.” So, assuming the processes were there, the communication between departments severely impacted the security of their network.
Compliance policies cannot be taken lightly, especially as sensitive data privacy has become a priority among global marketplaces. Every employee and every department needs to understand their role in ensuring that policies, procedures, and processes are effective and always implemented.
What You Should Learn from the Equifax Data Breach
The Equifax data breach may have been the hot topic in the news for weeks, but data breaches are a long-term concern. In fact, a 2014 breach of Altaba, Formerly Known as Yahoo!, resulted in personal data relating to hundreds of millions of user accounts being stolen.
There are plenty of lessons gathered from the Equifax data breach including the lessons that legacy systems aren’t enough in modern times, and that security risk assessments should be conducted often. Yet organizations who don’t act upon these lessons are just as susceptible to a breach or leak happening to them.
Vault Verify is trusted by companies of all sizes to provide fast, secure, and reliable data 24/7. As the industry-leading technology platform that securely automates requests for verification of employment and income for FREE, we ensure employee data privacy and will never share your data with any unauthorized parties.
It’s time that you take your employee data seriously and reduce company liability. Contact us today to learn more about how our real time API integration eliminates file feeds and data storage for a 99% reduction in data exposure.