How much security risk can an organization accept before it’s on very thin ice? The equation is simple: decide how much money it will take to reduce the risk, and how much more money an organization will earn by accepting that risk. Equifax presumably decided that accepting a large amount of risk, in hopes of making a larger amount of money, was a good gamble. In the case of the massive data breach, Equifax lost that gamble badly.
As we now know, the most amazing thing about this utter disaster is that it didn’t need to happen. The breach was completely avoidable. Equifax was compromised through a vulnerability that was discovered and fixed by the vendor months before it was exploited at the company. The solution was a simple security patch. There are three key learnings from a risk perspective that any CISO, CIO, or CFO should have seen coming on this breach.
Too Risky to Patch
Why was the Apache Struts patch not scheduled to be applied? I’ll wager the answer was that business leaders decided the patch was too risky to apply. Even simple patches require people, resources and time to integrate, test and deploy. There is always a risk a patch could take a system off line which of course could mean a loss in revenue and an increase in operating costs. I would further wager Equifax management will fall back on an excuse to “pass the risk on to the business.” In this well-worn play executives allow each business unit to determine what risk is acceptable to them which eventually turns into “the risk of not meeting targets” vs “the risk of applying the right level of security” From financial institutions to healthcare, I hear echoes of this same idea first hand. The pain of missing a bonus or a goal is far higher than the intangible risk of being breached. No one is taking the big picture view on risk.
There is an irony here that cannot be ignored. Over seventy-five billion dollars was spent worldwide last year on security products and services, yet breaches keep happening. It does not matter what tools you have If you don’t take the time to understand what risks are involved in running systems that manage massive amounts of sensitive consumer data. For too long, organizations have whittled away at prudent security protocols (like testing, implementing, and monitoring) because they believe the steps will take a chunk out of revenue. Equifax is a perfect case study for this problem: The company had great revenue growth while keeping operating margins almost exactly the same between Q1 2016 and Q1 2017. Yet in the past year, organizations have been hit with some of the most devastating cyber-attacks we’ve ever seen, including ransomware attacks. When a company’s operating margins stay the same, how are they able to beef up their security? The answer is, they probably haven’t.
Sign up for Computerworld eNewsletters.