Sen. Nelson to Equifax: You were not the victim, change company attitude
Sen. Nelson suggested a cybersecurity attitude adjustment if corporations hope to restore public trust in the wake of major breaches
In opening today’s Senate Commerce Committee hearing, “Protecting Consumers in the Era of Major Breaches,” Committee Chairman, Sen. John Thune said, “Our nation continues to face constantly evolving cyber threats to our personal data. Companies that collect and store personal data on American citizens must step up to provide adequate security, and there should be consequences if they fail to do so.”
The trouble is the ambiguity of the word adequate and the question of to what degree a company actually fails in their responsibility. Yahoo’s former CEO Marissa Mayer offered evidence of the strong security measures that were in place prior to Yahoo being the victim of a massive breach.
In the end, Mayer’s testimony affirmed that, “Even the most well defended can fall victim to these crimes— a nation state attack is not a fair fight.”
Placing the blame on a single individual who failed to properly patch a known vulnerability, though, didn’t bode well for former Equifax CEO Richard Smith, who hoped to position Equifax as yet another victim of cybercrime.
Sen. Nelson wasn’t buying it. Despite testimony from current CEO, Paulino do Rego Barros Jr. — who detailed the efforts Equifax has taken to regain the confidence of American people — the Florida senator would not accept the claim that Equifax was a victim.
Both Barros and Smith offered apologies to the American people, an effort to recognize (to some degree) that the company’s security practices and policies failed to protect the data they collected.
Senator John Thune, chairman, US Senate Committee on Commerce, Science, and Transportation also seemed shocked to learn that there weren’t more tripwires or redundancies in the Equifax systems.
“Those weaknesses have been addressed,” Smith said — the people, processes, and technology.
In addition to the singular individual who didn’t patch the vulnerability, when they used their scanning tool, the scanner did no find the vulnerability, which is why the criminals were able to access the web portal dispute environment.
Now, they’ve upgraded to a new, next generation scanning technology. Barros reported that they have done, “A comprehensive top down review, strengthening all aspects of security including patching capabilities, enhancing and updating tools, and developing stronger policies to have more redundancies.”
To that end, they are using, “Encryption, tokenization, all technologies available,” said Barros.
Yahoo for Yahoo!
Despite being the largest breach ever, Marissa Mayer verified that Yahoo! had invested tremendous resources into their security strategies. The 2016 attach that resulted in 3 billion compromised accounts was, “Criminal state sponsored attacks resulting in certain user information being stolen,” Mayer said.
What differentiates the two organizations is their level of preparedness and how they handled incident response. Under her charge, Mayer had nearly doubled the size of Yahoo’s internal security staff to develop strong processes and layered defense.
Still — Nelson pointed out — despite their engagement with law enforcement that led to a 47 count indictment, Yahoo’s systems was penetrable, but was the breach a failure on their part?
When the senator posed the question, “How could you have protected yourself?” to Mayer, he got the confirmation he was looking for.
“Even robust defenses and processes are not proficient to protect against a nation state attack, especially one that is sophisticated and persistent,” Mayer said.
Expectations beyond adequate
But Nelson couldn’t shake the seeming reality that there is no such thing as data security. “These are sophisticated threat actor. Companies can’t stand up against them,” Nelson said.
Nelson posed the hypothetical scenario where a little fella attempts to purchase a new home but can’t get a mortgage because his credit has been tarnished through no fault of his own.
His point, directed more at Equifax, was to recognize “the real victim” — the poor fella who can’t buy a house because of a sullied credit report resulting from the breach.
Confronting consumer outrage
The Equifax breach was the point of no return, according to Steven Minsky, CEO, LogicManager.
“It’s shocking that 65% of the Fortune 100 companies are using the affected application that opened the door for the Equifax breach. This doesn’t even account for failed patch installs in other applications, which could (and will) cause future breaches,” Minsky said.
Minsky is confident that consumer outrage over this breach will cause a massive shifting of funds and business to those institutions that can demonstrate competent risk management.
In writing about breaches, Minksy said, “They are all offenses of ineffective and negligent risk management, which are preventable with enterprise risk management.”
Regardless of size, companies and consumers alike can not (as I also mentioned in a recent blog) let Equifax fade from memory. They must understand that their company is likely vulnerable without change.
Toward that end, the first step toward stronger security is for every organization to understand that Equifax is a point of no return. “This is not just another breach,” said Minsky, “it’s a fundamental shift in the risk profile that a corporation is facing.”
It’s time to rethink policies and procedures — to change the corporate attitude about cybersecurity.