Five Lessons from Equifax

The continuing fall-out from the Equifax breach reported last month makes great headline fodder, and is really good for Congressional representatives eager to show themselves hard at work protecting voters.

For other businesses, Equifax is going to be a case study — for YEARS — on how not to handle a crisis. Among the reports:

• The company’s leadership ignored warning signs of an issue.
• The warnings were ignored because of a spat with the vendor that flagged the issue.
• The C-suite didn’t inform the board of the known breach – involving HALF of Americans – for three weeks after learning of it.
• The company approved stock sales by several insiders after the problems came to light.
• Etc. Etc.

In other words: the news keeps getting worse.

For companies on the outside of Equifax, what are the lessons to draw? This is a timely exercise to run through: October is National Cybersecurity Month.

1. Lock up your information. This is priority one. It is not, however, enough. All locks can be picked. There has to be a behavioral focus as well.
2. Create a culture that values confidentiality and makes those problems an urgent priority. If your factory shut down, you’d be all over it; an infosec/cyber compromise might be no less urgent. Don’t wait to find out.
3. Have a response plan that goes into effect upon discovery of a problem. Who steps up, what do they do, what do they say, and to whom? Knowing these things in advance, you will be able to act more quickly, and you will be more sure-footed, if you ever face a problem.
4. Communicate clearly and timely. Let appropriate stakeholders know when you discover a problem, and be sure the timing, scope, and substance of those communications takes into effect the potential fall-out of the issue. Employees need to hear. The board needs to hear. The C-suite needs to hear. The public may need to hear. What they hear, and when, and in what order, may depend in part on the incident. But you have the power to tell the story at the beginning. If you tell a bad story, or a partial story, you lose control of the narrative.
5. Security must be a priority from the top down. That is the only way to accomplish #1-4, and that is the biggest lesson of this debacle. It’s clear in hindsight that the company doesn’t have a culture attuned to confidentiality and security. Plenty of people could have made this better, but the collective response — from the outside and after the fact — looks like a big, collective shrug.

In short, cyber and infosec planning cannot be an afterthought: they have to BE your business. And they have to be treated like any operational issue, not like a mere box to check on your list of annual compliance matters. There is no better defense than a good offense. It’s your company: why wouldn’t you protect it? #cyberforgrowth #cyberforbusiness