Do you remember that infamous Equifax breach? The one where hackers stole the personal information of 147.7 million US citizens? We wrote a blog post about the incident a few years back.
Whether or not you remember the case, the first thing you should notice that the case is still relevant – almost two years after it was discovered. One of the reasons is that US authorities have taken a stricter approach to data breaches, and now that GDPR has been in force in Europe for over a year, the consequences of a data breach reach beyond the initial public outcry, temporary dip in the stock price and perhaps a couple of IT guys being fired.
Let’s have a look at the Equifax case along with a couple of others by going through some questions organizations should be asking themselves.
1. Harsh fines or risk mitigation?
Authorities on both sides of the pond are handing out fines that have a serious impact on the bottom line of the companies. One recent example is Equifax, which is reportedly facing a hefty fine of $700M for the lack of proper security measures. It has also become apparent that one of the reasons this hack was so successful was that the hackers got ahold of stolen credentials which allowed them to move laterally inside the network and gain access to valuable data. Read more about what this means here.
Another example is British Airways who is likely to be fined £183m for their “poor security arrangements”. Although the proposed figure might still change if and when BA appeals the case, as the fine currently stands, it amounts to 10% of expected net profits of the company.
It also looks like the trend is up, since “Those reporting attacks that cost 10 million USD/EUR/GBP or more almost doubled from last year — from 7% in 2018 to 13% in 2019”, as stated by Security Boulevard.
2. Legal action or even more legal action?
National authorities and regulators are not the only ones who demand justice in breach cases. Companies can also face legal action from local authorities in addition to the fines imposed by governmental regulators, as quoted in this article.
“Equifax has agreed to pay at least $1.4 billion to settle multidistrict litigation brought on behalf of 147 million U.S. consumers and pay millions more to resolve civil complaints brought by the federal government and multiple state attorneys general over its massive 2017 data breach.”
These are not the type of figures you want to be presenting to your shareholders, investors or the general public. Besides, private citizens are becoming more aware of how valuable personal data has become and how important it is for organizations to govern and monitor how it is handled. For example, GDPR allows EU citizens to seek compensation for damages.
3. Doing productive work or spending time on litigating?
All the time the company is under all kinds of scrutiny, it diverts attention and resources from what these companies really should be doing – running their daily operations and concentrating on serving their customers. Instead, they’ve been litigating, settling, hiring lawyers, spending internal time and resources on matters that could have perhaps been avoided by paying a bit more attention to their cybersecurity strategy.
4. Is it a board level topic before or after the risk has materialized?
We believe companies should not leave cybersecurity only at the hands of the IT or even the cyber security teams. Proper cyber hygiene should be a board level topic. The consequences of ignoring these topics always are.
How can we help
We have more than 25 years of experience in the field of cybersecurity, access control and securing data-in-transit. We can help you:
- get rid of ungoverned access methods that might exist inside your organization
- mitigate the risk of lateral movement inside your network where one set of credentials is used to hop between servers (one method of hacking)
- get rid of permanent access credentials altogether and replace them with Zero Trust and just-in-time authentication methods that minimize the risk of privileged credential abuse
Joe Scaff, CEO, Chief Sales Officer
P.S. I highly recommend the ISACA guide on Secure Shell governance and the KuppingerCole Executive view on our product, PrivX®.
