The Chief Information Officer and Chief Security Officer have been replaced. The CFO is busily redoing forecasts and working to mitigate the damage to the company’s finances, even as the stock price – down 38% so far – is not likely to recover any time soon. The CEO is preparing to testify before the US Congress, while the legal department and the board brace for probes by federal and state authorities and a slew of class-action suits that could bankrupt the enterprise.
And people in America are worried sick at the prospect of falling victim to identity theft and other fraud, while consumers in other places, including Asia, wonder about their own personal and financial information, too.
“Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years”
Equifax, the credit reporting bureau that revealed on September 7 that cyber hackers had stolen the data of 43 million Americans, has operations in 15 countries, including Australia, India, Malaysia, New Zealand and Singapore. Equifax says it discovered “unauthorized access to limited personal information for certain UK and Canadian residents,” but has found no evidence that other countries are affected.
For CFOs, who are key members of the risk management committee and often oversee the technology department, this latest cybersecurity breach once again underlines the importance of understanding and allocating resources to their organization’s cyber defenses. They would also be wondering: If a 118-year-old company like Equifax can be hacked, despite presumably investing tens of millions of dollars on security, is there hope for other businesses?
Lesson 1: Complacency is the enemy
They may be overly pessimistic. The technology and systems around data protection can and do work – if those responsible for security are always on their toes. Equifax has said that the hackers exploited a vulnerability in the open-source Apache Struts Web Framework that powers an Equifax web app. This weakness had been identified earlier this year and a security patch offered in March – two months before the hacking attack, which lasted from May 13 through July 30.
Equifax says its security team blocked suspicious network traffic associated with its US online dispute portal web application on July 29. When additional suspect activity continued the next day, the web app was taken offline and the Apache Struts vulnerability was patched before the app was brought back online.
Equifax claims that it was aware of the vulnerability when it was announced and “took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.” Those efforts were clearly not enough. “While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing,” it says. “The company will release additional information when available.”
The Apache Software Foundation warned against complacency. “Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years,” it said in a statement. Apache urges companies to establish a process to quickly roll out a security fix release in a matter of hours or days, not weeks or months.
“Any complex software contains flaws,” it adds. “Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.”
Lesson 2: Report a data breach as soon as possible
Equifax revealed the hack on September 7, six weeks after it first became aware of the intrusion. US law does not yet prescribe a set period for reporting a hacking incident, but Europe’s General Data Protection Regulation, which comes into effect next year, requires that any data breach be reported within 72 hours.
Arguably, Equifax’s decision to wait more than a month before informing millions of consumers that their confidential information had been stolen gave it time to conduct an investigation (it hired cybersecurity company Mandiant on August 2) and finalize a plan of action. But the optics of that delay is horrific, given the scale of the hack and the sensitivity of the data, which included names, birth dates, addresses and Social Security numbers.
Organizations face different threats and vulnerabilities and have different risk tolerances, so the way they design and deploy their security systems will vary too
The delay also gave rise to suspicion that some Equifax executives tried to profit from the incident. On August 1 and August 2, days after the hack was first discovered, CFO John Gamble, Workforce Solutions President Rodolfo Ploder, and US Information Solutions President Joseph Loughran sold Equifax stock valued at nearly US$2 million.
The company conceded that the three men did sell a “small percentage” of their shares, but said they had “no knowledge that an intrusion had occurred at the time they sold their shares.” The stock was trading at around US$146 at the time. It closed at US$92.98 on September 15.
Equifax CEO Richard Smith will surely face brutal questioning on why the company waited so long before reporting the theft when he faces a House of Representatives panel on October 3. There will be many other questioners. The Federal Trade Commission has opened an investigation, and so have nearly 40 US states.
Lesson 3: One size does not fit all
Not all organizations have an online portal web application or collect and store massive amounts of sensitive personal and financial information like Equifax does. The cyber security tools and systems that is appropriate for one company are not necessarily appropriate for another. Organizations face different threats and vulnerabilities and have different risk tolerances, so the way they design and deploy their security systems will vary too.
That’s something that CFOs need to keep in mind because the technology, people and processes needed for effective cybersecurity require money. There are also security and financial issues around keeping things in-house versus outsourcing, on-premise versus cloud, and hiring cybersecurity consultants. One useful resource for thinking this through is the Framework for Improving Critical Infrastructure Cybersecurity developed by the US National Institute of Standards and Technology.
There is basic cybersecurity hygiene, to be sure, such as making sure the company is protected by up-to-date antivirus software and firewalls. Then, depending on the organization’s circumstances, the CFO can consider IT requests to invest in more advanced solutions such as two-factor authentication, anti-ransomware and biometrics – solutions that may be appropriate for financial institutions and healthcare organizations, but perhaps not as urgent for a mid-sized manufacturer of electronics components.
In a recent survey of Asia Pacific companies by enterprise security provider Palo Alto Networks, more than six out of ten were found to have the basic antivirus and firewall infrastructures. Only less than a third have invested in the more advanced solutions. In a way, the findings can be regarded as positive if the reason for not deploying two-factor authentication, for example, is that it is not appropriate for the organization, rather than ignorance or cost considerations.
“Up-to-date technology is critical, but it can all be for nothing if companies fail to recognize and control the risk posed by their people”
Lesson 4: Mindsets are also important
In the same study, 58% of Asia Pacific organizations said they believe that a ‘detect and respond’ approach is more important than prevention. This mindset might require re-evaluation, given the continued prevalence of data breaches in the region, reckons Palo Alto. “Overall, the APAC markets surveyed were unanimous about employees’ lack of cybersecurity awareness being the topmost challenge,” it adds. “Risk from third-party vendors was the second most prominent concern.”
“Cyber threats are not problems you can solve simply by increasing budgets,” says Sean Duca, Palo Alto Vice President and Regional Chief Security Officer for Asia-Pacific. “A good approach to cybersecurity requires the buy-in of business leaders and understanding of the threat landscape so they can help design and implement more effective cybersecurity policies in order to prevent breaches." Employee education must be elevated to the top of the agenda, he adds.
“Up-to-date technology is critical, but it can all be for nothing if companies fail to recognize and control the risk posed by their people,” says Aon, a global risk management company. “People can make mistakes, fall prey to social engineering attacks, or simply act out of malice . . . Educating your staff on their responsibilities, and on the dangers they face, is key.”
“More often than not, it’s human error that lies at the heart of major security breaches,” Aon says. That statement may be proved true in the case of Equifax, if it turns out that the failure to patch the Apache software was the reason the hackers were able to access its servers and steal data.