The Equifax breach isn’t the largest data breach, but it is one of the most troubling because of its massive scope, the nature of the information stolen, and the absolutely awful way in which it has been handled.

While Hurricane Irma dominated the national news late last week, a man-made disaster unfolded in the background as credit reporting giant Equifax disclosed that hackers had breached its website and accessed the personal identifying information (PII) of 143 million Americans, including Social Security Numbers, dates of birth, address and employment information and, in some cases, credit card numbers. In terms of the number of people impacted, the Equifax breach is not the largest in history; that dubious distinction is held by Yahoo. However, it may end up being the most destructive due to the particularly sensitive nature of the compromised information and the fact that it impacted about half the U.S. population. Once minor children and other people who do not have credit histories are excluded, the picture becomes even bleaker. The Equifax breach may have compromised the PII of anyone living in the U.S. who has ever had a credit card, a car loan, a mortgage, a lease, or anything else that involves a FICO score.

Meanwhile, a group of hackers who claim to be behind the Equifax breach have demanded a Bitcoin ransom of approximately $2.6 million in exchange for not publicizing the data.

How has Equifax responded to all of this? By doing … well, pretty much everything a company shouldn’t do after a data breach, especially one of this magnitude.

Equifax Breach Response: A Case Study in What Not to Do

As bad as this hack was, Equifax’s response to it has been even worse. Their actions have been so galling that members of Congress are demanding hearings to investigate the breach and Equifax’s poor handling of it. Here are some of the highlights:

• Equifax first discovered the breach on July 29, after the hackers had been in their system for about a month.
• In the days following the discovery, three senior Equifax executives sold approximately $1.8 million in shares. The company claims that said executives were not aware of the breach.
• The victims had to wait until early September to find out about it. Not only did Equifax wait several weeks to disclose the breach, but they also made their announcement while the nation was transfixed by Hurricane Irma, which was barreling towards Florida and prompting one of the largest mass evacuations in history.
• The website that Equifax set up for victims to determine if they were part of the breach was so poorly constructed – complete with gaping security holes – that many visitors thought it was a phishing attempt.
• This same website appears to double as a marketing vehicle for Equifax’s own credit monitoring service. The company is offering a free year’s subscription to the victims, which begs an obvious question: If Equifax itself couldn’t keep victims’ data secure, why in the world would they trust the company’s “credit monitoring” service?
• Rather than taking responsibility for the hack, Equifax is seeking to pass the buck, blaming a vulnerability in open-source server framework Apache Struts, even though there is currently no evidence that Struts was the source of the breach.

How bad do things have to get before we take cybersecurity seriously?

Another reason why the Equifax hack is so much worse than the hacks at Target, Yahoo, Verizon, Anthem, and other private-sector companies is that while consumers can choose to stop patronizing those other companies, they have no choice but to have their data handed over to Equifax. There is currently no way for consumers to “opt out” of having their personal and credit data aggregated by Equifax and its competitors, Experian and Trans Union. Even if there were, the modern economy runs on credit; without a FICO score, Americans cannot obtain car, home, or student loans, be approved for rental leases or, in some cases, find a job.

Equifax’s response to this hack has been inexcusable. So is the fact that the breach happened in the first place. If any company needed to practice proactive cybersecurity rooted in sound governance, risk, and compliance, it was Equifax. Equifax does not collect PII as a consequence of doing business; collecting PII is its business. As the old saying goes, with great power comes great responsibility, and Equifax has failed miserably in its responsibility not only to American consumers but also the entire nation.

The Equifax breach is going to end up affecting all Americans in one way or another. Will this be the breach that finally wakes businesses and individuals up and prompts them to realize that cybersecurity is now everyone’s responsibility? Let’s hope so, because we absolutely do not want to see a cyber attack that’s even worse than this one.

The cybersecurity experts at Continuum GRC have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cybersecurity programs.

Continuum GRC is proactive cybersecurity®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards. 

How RegTech Simplifies Governance, Risk, and Compliance

Complying with standards such as HIPAA, PCI DSS, FISMA, and SSAE 16 SOC reporting is complex, costly, and time-consuming, especially for organizations that must comply with multiple standards. You may have heard the term “RegTech” mentioned as a solution. What is RegTech, and how can it help your organization save time, money, and hassle?

RegTech refers to software solutions, usually delivered in the cloud, that automate governance, risk, and compliance processes. Continuum GRC’s proprietary IT Audit Machine (ITAM IT audit software) is an example of a RegTech software solution. In the finance industry, RegTech is often thought of as a subset of FinTech. However, RegTech has applications in every industry, from healthcare to ecommerce to SaaS and cloud providers.

3 Benefits of Using a RegTech Solution for Compliance

Lower Costs

Perhaps the biggest advantage of implementing a RegTech solution is the cost savings. Compliance is not a business driver; it is a business cost. Not only do RegTech solutions directly save organizations money by eliminating “audit anarchy” and making the compliance process less expensive and more efficient, they also free up internal IT staff to work on projects that benefit the organization’s daily operations and long-term goals, fostering innovation and driving profits.

Greater Insight into Your Data

Many organizations still use Excel and other spreadsheet programs for assessment and audit work. However, Excel performs poorly when used for this purpose; it has limits on space, accessibility, presentation, sustainability and formatting and was not meant to be used to analyze very large, complex data sets. RegTech solutions such as the ITAM IT audit software eliminate “spreadsheet madness” and organize data to give you clear visibility into your organization’s key risk indicators, assessment results, and compliance initiatives, with integrated reporting of self-assessments, manual assessments, and automated controls.

Peace of Mind

There is a severe shortage of cybersecurity and compliance professionals. Most organizations simply do not have the in-house expertise to interpret the complex requirements of industry and regulatory standards, particularly since they are continually shifting to respond to the evolving threat environment. For example, the PCI Council just released a 64-page guide updating PCI DSS best practices for ecommerce that stresses, in great technical detail, the upcoming required migration to TLS 1.1+. A RegTech solution cuts through the noise, takes the guesswork out of compliance, and ensures that organizations are always up-to-date with the latest standards, saving you from sleepless nights, wondering if your company is compliant.

RegTech in the “Era of Deregulation”

The recent election of President Donald Trump, whose campaign emphasized deregulation, has caused some experts to question the future of RegTech. However, even in a post-Trump world of relaxed regulations, RegTech will remain relevant. Consider the following:

• The political pendulum will ultimately swing in the other direction. Just as President Trump quickly obliterated many of former President Obama’s policies with the stroke of a pen, the president and Congress who follow Trump could immediately reinstate everything that was abolished during Trump’s administration.
• Individual states may respond to federal deregulation by establishing their own compliance standards, which could end up being more stringent.
• Privately established industry standards will remain in place regardless of what the president or Congress do. For example, PCI DSS is not a piece of legislation. It is a set of standards the major credit card providers require merchants and processors to follow in exchange for the privilege of accepting their cards.

It’s also important to note that RegTech isn’t just about compliance. RegTech solutions have multiple governance and risk management applications that will never lose their relevance, especially in today’s threat environment. For example, in addition to compliance and audit management, Continuum GRC’s ITAM IT audit software:

• Integrates your IT governance, policy management, risk management, and incident management so that your security protocols and policies are always aligned with the current threat environment.
• Enables an automated and workflow driven approach to managing, communicating, and implementing IT policies and procedures across the enterprise, ensuring consistency across departments, divisions, and locations.
• Provides an integrated and flexible framework for documenting and analyzing IT risks, developing mitigation plans, defining security controls, and managing ongoing risk assessments so that you can anticipate new and emerging threats and stop them before you are hacked.

Perhaps most importantly, most compliance standards are, at their core, common-sense cybersecurity best practices. Your customers want to know that their data is secure, and they will be hesitant to do business with your company if they do not have that assurance. Even if certain data privacy and reporting regulations are officially done away with, many organizations may choose to keep complying with them anyway, simply because their customer base demands it.

The cybersecurity experts at Continuum GRC have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cybersecurity programs.

Continuum GRC is proactive cybersecurity®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.