It has been announced that Equifax will pay at least $575 million to settle a variety of federal and state claims related to its 2017 data breach. This amount may be relatively small, especially divided by the 140+ million Americans whose data was lost, not to mention data from non-Americans, but my personal thoughts on the price of my lost data will stay just that - personal. The more important point here is a series of business decisions that, in hindsight, were incredibly unbalanced compared to the risks Equifax faced.
Human beings perform cost-benefit analyses every single day: should you hit that snooze button and risk being late to work? Should you cross before the light changes (or do you even trust the drivers on the road to acknowledge the red light)? Should you have that second piece of cake if you have an upcoming beach trip (almost always yes, because who knows? It could rain the entire week you’re at the beach, and why be miserable twice!)?
Cybersecurity practitioners need to be in the habit of constantly applying this analysis method to tools and solutions implemented in their business, and it’s clear that Equifax’s math didn’t quite match reality. To be clear, this isn’t to beat up on one organization, but to highlight an important lesson we can all use: how to justify risk mitigation spending based on known costs.
We now have a cost of not taking action (using the low-ball figure of $575 million); in retrospect, what controls might have made sense before this breach?*
The sum total salary of the first four items is a little under half a million ($483K). At that rate, Equifax could have paid individual employees for over 1,110 years to close these gaps, and it still would have cost less than the fines levied for this data breach.
*Summary of key failures pulled from the complaint filed with the FTC seeking relief from Equifax’s data breach, available here: https://www.ftc.gov/news-events/blogs/business-blog/2019/07/575-million-equifax-settlement-illustrates-security-basics
Many technologists in the cybersecurity field miss the business forest and get lost in the trees of their tech stack. NGFWs (next-gen firewalls) and AI/ML-powered this-and-that and intelligent EDR tools have their place, but those tools should only be used if they align with business needs. Matching capabilities to your business needs is crucial - it’s never correct to pick tools solely by the highest price tags or longest feature lists. Equifax’s automated scanner was not configured to check ACIS for vulnerabilities; while the “automated vulnerability scan” box was checked, the tool wasn’t the right fit.
Many cybersecurity business leaders struggle with legacy systems that, although perfectly functional, lack adequate security control or monitoring capabilities. Risks evolve over time, and a system that’s a complete black box to your continuous monitoring program is an ever-increasing liability. This is especially true if it has sensitive data, as Equifax’s ACIS did. Business leaders often justify running legacy systems due to the cost or challenges in migrating, but the ever-increasing risk of not migrating needs to be reviewed, as the cost-benefit equation will likely hit a tipping point as regulation and fines increase.
Process & people are often overlooked by both technologists and business leaders in cybersecurity, but we haven’t quite reached the point where the robots can do it all. As was demonstrated during the Target POS data breach, simply getting an alarm from a tool doesn’t automatically mean anybody will take action. The FTC complaint notes that although Equifax issued a patch order, it wasn’t received by the employee responsible for patching ACIS. Indicating a process failure rather than a technology one.
Data breaches and cyber incidents are tough to quantify, but with each major breach settlement we get more data. Equifax’s reputational harm may not have a dollar figure, but any similar organization should be looking at their cybersecurity spending in light of this $575 million figure. If a fine like that is the result of not spending before a data breach, and there are controls that cost less which could prevent the breach, then it’s a no-brainer to justify.