While reading an article on Wired discussing the Equifax breach and the amazing depths of incompetence which led to it, I had a moment of deja vu. The article mentions that the Apache Struts vulnerability which was exploited is easily patched, and continued to cover the fuster-cluck of misguided actions Equifax has taken since they realized they were hacked. Suddenly, I realized something. The real reason Equifax has so severely mishandled everything about this incident is probably because key executives do not see their company through a digital mindset.
I have seen this before. I know a company with a similar problem in that the owner and CEO (same person) does not grasp the fact that his company is a software company, not a service company, even though all the “service” being provided is delivered to users through web-based tools and iOS apps. In fairness, the company in question has been around for forty years and once-upon-a-time they did do everything on paper. But those days are long since passed, and now the entirety of the product delivered to their customers is handled via the Internet. All submissions, transmissions, searches, etc., performed by their customers is done online. And still, the core members of the administration think in terms of paper and phone calls.
Equifax is most likely in a very similar metaphorical boat. If we assume that the C-suiters (CEO, CAO, CFO, etc.) at Equifax are still thinking that they are a financial company, a lot of the misguided misjudgements Equifax has committed leading up to and in the wake of this mishegoss start to make sense. I suspect that key members of their executive staff can barely use email, whether or not they have smartphones and Twitter accounts.
Because these key executives don’t understand technology, they most likely dismissed any requests by their technical underlings for resources and/or policies that would have prevented this entirely avoidable breach. The way things are looking right now, the company may not survive the aftermath. Equifax stock prices have dropped almost 50% since September 7, and I’m guessing they won’t start going up any time soon. There is blood in the water, and the sharks are getting frisky.
Equifax is hardly unique. If anything, they are pretty much the norm, and criminals have figured out that this disconnect between corporate executives and their techie worker bees means lots of opportunities for all kinds of cybercrime. But don’t take my word for it. Look at the increase in cybercrime globally. Not only is the amount of cybercrime on the rise, but the variety of cybercrime continues to expand.
What I hope will happen is that Equifax will be a long-overdue wake-up call to the C-suites around the world. Business as usual has changed, and any business that doesn’t take data and information security seriously could wind up like Equifax, all over the front pages and headlines for all the wrong reasons. The traditional hostilities between business and security folks are damaging to any organization that wants to prosper in this highly-digitized world. If nothing else, the failures at Equifax highlight just how damaging those hostilities can be.
The solution, however, isn’t an easy one. Simple, sort of, but not easy. Those of us who are information security professionals need to stop belittling and antagonizing our less technical colleagues. Business professionals and executives need to recognize that their security staff really does have the best interests of the company in mind. Basically, everyone needs to start playing together, acknowledging the validity of our differing perspectives and listening to the “why” behind them. Together, we need to find a way to make our technology work for our users, instead of the other way around.
In the end, Equifax has become a cautionary tale, but not just about the technical aspects of what went wrong. The data breach was completely avoidable, and had there been a more cooperative relationship between business and tech segments within the company, it probably would have been.