With the number of data breaches in the United States poised to shatter record highs this year, many people have become numb to news about them. But in early September, Americans learned of a data breach that left them rightfully feeling unsettled, vulnerable, and angry.
The Equifax hack was more severe than most: hackers stole the Social Security numbers, birth dates, and other personal data from as many as 145.5 million people. As more than half the U.S. adult population rushed to discover if their information had been compromised, Equifax’s actions suggested that the company had failed to adequately prepare for such an incident.
Equifax’s lack of foresight underscores the fundamental necessity for all organizations that possess sensitive information to have a breach-incident response plan in place. This plan should involve not only immediate action to detect, minimize, and neutralize the threat, but also damage-control protocols and a well-crafted and thoughtful public response.
Delayed Discovery, Botched Response
Though the hack may have taken place as early as mid-May, Equifax discovered it on July 29. The company then waited six weeks before informing the public. By that time, three Equifax executives had sold a combined $1.8 million in company stock, and identity thieves had a significant head start in exploiting victims’ stolen data.
The steps Equifax took to address the situation and comfort the public – steps which should have already existed in the disaster playbook known as an incident response plan – were woefully inadequate. Among these steps:
- Equifax did not notify creditors directly. Instead, the company set up a website where customers could discover if their information was among the data compromised, but the site left some people with more questions than answers.
- Equifax initially charged customers a fee when they moved to freeze their credit in response. They eventually waived the fee for 30 days after a public backlash.
- Equifax offered a free year of its credit monitoring services. This incensed some breach victims further when they found a provision in the offer that waived their right to take legal action against Equifax for not safeguarding their information. (The company later backtracked.)
- The company’s CEO, Richard Smith, remained silent for days instead of promptly and publicly accepting responsibility.
That Equifax would be targeted by hackers was no surprise to anyone, let alone the company’s executives. This massive attack was the third serious cyber incident at Equifax since 2015. Any observer could see that the company appeared unprepared for how to respond. Unsurprisingly, public reaction to the breach was swift and merciless. “Get Rid of Equifax,” urged the title of one New York Times op-ed.
Response Team, Assemble!
Credit bureaus, banks, hospitals, colleges, insurance companies, telecom providers – these industries and many others store massive troves of personal data. The next breach could happen anywhere. Executives would do well to ask their security team: “What would we do if what happened to Equifax happened to us?”
This is a question for which your organization needs a definitive answer. You can proactively fight back against cyber threats by assembling a strong response team. Each member should know his or her role in responding to a breach.
Members of the team should include:
- An incident response officer (IRO) to oversee the response and serve as a go-between with upper management and any outside parties involved (such as contractors).
- IT personnel to perform damage assessments, isolate compromised components, provide data forensics and recovery, and mitigate damage to end users.
- Legal counsel to gather evidence for future action and take contemporaneous steps to minimize the company’s future liability.
- Public relations staff to craft all public-facing statements regarding the hypothetical breach (i.e., damage control).
The Action Plan
Employees from all departments need to be trained on what constitutes suspicious activity in their particular area of work, and they must know exactly what they are supposed to do should they spot it. Behavioral and network analytics, scores of which already exist, can detect anomalous activity.
Equifax did not immediately realize it had been compromised. This is common among breaches of all sizes. No one on Equifax’s security team noticed the server load spiking as 143 million customers’ data was siphoned off. Access to a database that large should be carefully monitored and the data should have been segmented in such a way that a successful hacker can only hack into a small bundle of data.
If a breach occurs, the IT department will disconnect or block affected services and confiscate any affected workstations and devices. They should contact their internet service provider (ISP) and any external resources and outside partners. The entire company should be notified of any immediate protocols that need to be taken company-wide to address the threat.
Once the immediate threat is dealt with, a full investigation into the extent of the breach must begin immediately. This will require thorough documentation, which should include:
- The system(s) affected
- A list of running processes and any open ports or connected applications
- The origin of the breach
- Malware used (if known)
- The users logged on at the moment of breach
- The location of any remote servers where data may have been sent
Without knowing this information, it’s difficult to learn any lessons that can improve your response in the event of a future incident.
Have your PR department, in consultation with legal counsel, draw up a public response plan. Affected end users should be notified directly of the breach and the extent to which they are affected, and the public face of concern should be the company’s CEO – starting on Day 1. This message should come as no surprise to the CEO if this is an established plan, even if it’s one you never want to use.
To Defeat Them, You Must Think Like Them
Regular testing must be part of any high-quality security plan. Test the preparedness of your response team with a breach simulation exercise.
However, testing your team’s response effectiveness is not the same as testing the security of your systems. Penetration testing by a professional can identify vulnerabilities that could potentially be exploited like the open-source Java application that the Equifax hackers utilized. Discovering deficiencies in a penetration test is far preferable to the alternative.
Effective changes following the fallout of the Equifax breach will almost certainly not come from a congressional investigation. Likewise, hefty fines won’t threaten companies into better protecting customer data in any meaningful way.
Your organization can be different. The call for change must come from inside the house. Self-regulation and a strict, rigorous standard for securing private data must be the new ethos, and a detailed response plan must be implemented, tested, and used when necessary. If this is done effectively – even in the event of a serious breach – you don’t have to emerge as a pariah. You’ll have a blueprint to guide your organization through.
Eric Basu is the founder and CEO for Sentek Global. He’s a former U.S. Navy SEAL Commander who graduated from San Jose State University with a Bachelor of Science in Molecular Biology and holds an MBA from Anderson Graduate School of Management (UCLA).