While it may be many months for all root causes of the Equifax breach to be revealed, there are actions companies can take today to reduce the probability of meeting a similar fate. Below are three recommendations. While certainly not an exhaustive list, they are the ones that bear consideration as breaches increase in frequency and impact.
Reduce Complexity, Now
Complexity is the enemy of security, and may be the most systemic risk faced by public and private sector organizations in every industry. Complexity is a controllable risk that organizations should not delay in mitigating. The more applications, servers, environments and data an organization maintains, the greater the likelihood that a vulnerability will be exploited by an insider or outsider and that a breach will occur. The irony is that companies with the most complex (and often old and difficult to secure) systems are often the ones accountable for safeguarding the most sensitive data. Have and follow application retirement targets, destroy data that is no longer needed, avoid maintaining excessive environments and servers; measure and celebrate this behavior.
It is not unusual for internal dynamics within IT departments to directly contribute to a breach. Where one department is rewarded for delivering projects on time and on budget, another is measured by delivering operational consistency and another with minimizing information security risk. It is not uncommon for CIOs to be expected to meet 99.9999% uptime targets. Nor is it unusual for an untested patch to bring down an environment. Delaying a patch to ensure that it is adequately tested may delay a project go-live, while deploying it without full testing could result in missing the uptime KPI. This puts leaders in a precarious and virtually impossible conflict, and one that does not always favor information security. Yesterday's metrics for measuring IT's contribution to the business do not reflect today's risks and realities.
Train Users, Test, and Train Again
There are incredible (and free) resources online for businesses and the public. Check out these, as a start:
Looking for measurable results to track over time? There are several highly effective subscription products that businesses can purchase to create sophisticated phishing simulations. Combining this strategy with a solid user education campaign, and repeated testing, will change user behavior for the better. With National Cyber Security awareness month around the corner, now is a great time to reassess your user awareness program, and make improvements. If training time is scarce, consider bundling cyber security awareness training with privacy training. As privacy, security and risk are starting to converge in certain areas, aligning training efforts makes sense where possible.
Tone From the Top
While the measures above may appear to be common sense, they involve work and trade-offs. Without visible and sustained support from senior leadership, they will simply not succeed. Reducing complexity, aligning incentives, and improving user cyber security awareness are fundamental steps in creating the cultural foundation so critical for a future where companies may compete as much on their ability to sustain secure and continuous digital transformation as they do on all other fronts combined.