It has been announced that Equifax will pay at least $575 million to settle a variety of federal and state claims related to its 2017 data breach. This amount may be relatively small, especially divided by the 140+ million Americans whose data was lost, not to mention data from non-Americans, but my personal thoughts on the price of my lost data will stay just that - personal. The more important point here is a series of business decisions that, in hindsight, were incredibly unbalanced compared to the risks Equifax faced. 

The Cost-Benefit Analysis

Human beings perform cost-benefit analyses every single day: should you hit that snooze button and risk being late to work? Should you cross before the light changes (or do you even trust the drivers on the road to acknowledge the red light)? Should you have that second piece of cake if you have an upcoming beach trip (almost always yes, because who knows? It could rain the entire week you’re at the beach, and why be miserable twice!)?

Cybersecurity practitioners need to be in the habit of constantly applying this analysis method to tools and solutions implemented in their business, and it’s clear that Equifax’s math didn’t quite match reality. To be clear, this isn’t to beat up on one organization, but to highlight an important lesson we can all use: how to justify risk mitigation spending based on known costs. 

We now have a cost of not taking action (using the low-ball figure of $575 million); in retrospect, what controls might have made sense before this breach?* 

• Check to make sure employees followed through on the patching process - Simple math based on a Glassdoor salary search for “Information Security Analyst” jobs near Atlanta yielded a salary range of $80K-$120K. A patch coordinator making $120K/year would need to work for over 4,700 years to cost $575 million.
• Failure to detect a patch due to automated scanner not configured to check where vulnerable software was used - Again using that $120K figure, an analyst dedicated to the proper use of Nessus or Rapid7 or the like would be a better investment than paying out after a breach.
• Equifax failed to segment its network to limit how much sensitive data an attacker could steal - Glassdoor returned a range of results for network architect, but the most senior sounding position had an upper salary of $211K. At that rate, this Principal Network Architect would need to work for over 2,700 years to cost as much as this data breach. 
• Storing admin credentials/passwords in unprotected plain-text files, and failing to update security certificates - It’s hard not to just use a facepalm emoji here and be done with it, but a good IT security or risk auditor could have caught this. According to Glassdoor, senior auditors with the CISA credential run about $140K in Atlanta, which translates to over 4,1000 years of work compared to $575 million.
• Equifax didn’t detect intrusions on “legacy” systems like ACIS - This one is harder to quantify. The cost & challenges of migrating from a legacy system may simply be too high, but compensating controls should be considered. Legacy systems should be heavily segmented from more modern ones, and additional monitoring put in place for those segments. Again, the cost-benefit analysis should balance the additional costs of network configuration/monitoring and the potential for fines/reputational harm against the value the system generates for the business.

The sum total salary of the first four items is a little under half a million ($483K). At that rate, Equifax could have paid individual employees for over 1,110 years to close these gaps, and it still would have cost less than the fines levied for this data breach. 

*Summary of key failures pulled from the complaint filed with the FTC seeking relief from Equifax’s data breach, available here: https://www.ftc.gov/news-events/blogs/business-blog/2019/07/575-million-equifax-settlement-illustrates-security-basics 

Performing the Balancing Act

Many technologists in the cybersecurity field miss the business forest and get lost in the trees of their tech stack. NGFWs (next-gen firewalls) and AI/ML-powered this-and-that and intelligent EDR tools have their place, but those tools should only be used  if they align with business needs. Matching capabilities to your business needs is crucial - it’s never correct to pick tools solely by the highest price tags or longest feature lists. Equifax’s automated scanner was not configured to check ACIS for vulnerabilities; while the “automated vulnerability scan” box was checked, the tool wasn’t the right fit. 

Many cybersecurity business leaders struggle with legacy systems that, although perfectly functional,  lack adequate security control or monitoring capabilities. Risks evolve over time, and a system that’s a complete black box to your continuous monitoring program is an ever-increasing liability. This is especially true if it has sensitive data, as Equifax’s ACIS did. Business leaders often justify running legacy systems due to the cost or challenges in migrating, but the ever-increasing risk of not migrating needs to be reviewed, as the cost-benefit equation will likely hit a tipping point as regulation and fines increase.

Process & people are often overlooked by both technologists and business leaders in cybersecurity, but we haven’t quite reached the point where the robots can do it all. As was demonstrated during the Target POS data breach, simply getting an alarm from a tool doesn’t automatically mean anybody will take action. The FTC complaint notes that although Equifax issued a patch order, it wasn’t received by the employee responsible for patching ACIS. Indicating a process failure rather than a technology one. 

Data breaches and cyber incidents are tough to quantify, but with each major breach settlement we get more data. Equifax’s reputational harm may not have a dollar figure, but any similar organization should be looking at their cybersecurity spending in light of this $575 million figure. If a fine like that is the result of not spending before a data breach, and there are controls that cost less which could prevent the breach, then it’s a no-brainer to justify.