In September 2017, Equifax experienced a data breach, which impacted the personal information of approximately 147 million people. The investigation highlighted several security lapses allowing attackers to enter, what were considered secure systems, and exfiltrate terabytes of data. Six years later, Equifax’s Business Information Security Officer (BISO) Michael Owens says the credit reporting agency has grown stronger, resilient, and more secure. He shared key learnings from the breach at our recent GDS Group Security Summit.
In Brief:
- Cyber-attacks are underreported due to embarrassment and shame. Need to remove the stigma
- Better collaboration with the federal government and regulators
- Empower developers
- Simulation & Training
- Collaborating globally within the security industry
Remove the Stigma
According to the US Justice Department (DOJ) only one in seven cybercrimes is reported, which means over 85% of cybercrime is left hidden in an organization. Owens told our security audience, “we know that often, ransomware attacks, cyber-attacks are under reported and the main reason is the shame, the reputational risk that comes along with it, the idea that you and your company failed, that you were asleep at the wheel.”
Owens added that must change. “When companies don’t share information, there in turn lies the biggest problem because we know that these attacks are worked out in a methodical method where they move through industries, they move through company’s so the sooner someone says something the faster mitigation can occur.”
Culture Change
Removing the stigma of a cyber-attack requires a culture change within every organization. Owens says its starts by not feeling bad about a mistake that may have led to the breach, “there are people putting the company at risk, a lot of times just trying to do their job, nothing malicious, but we must work on culture and one of the hardest things to do is transform culture.”
“It’s important to acknowledge that there are a lot of bad actors out there and inevitably they are ways to wreak chaos so we can’t blame the employee, we must blame the bad actors and then it’s on everyone to mitigate and report those attacks.”
-Michael Owens, Equifax
Better Collaboration with the Federal government and Regulators
Owens says the federal government has been more active recently. They are better working with organizations on cybercrime but added, “companies should be reaching to the FBI before a breach occurs so that when it does happen the FBI can be a resource but from a regulatory aspect its seems the hammer has come down on us, although when you look at it from another perspective it allows you to have more tools, it allows you to go to your senior executives and get that additional funding and have more oversight.”
Empower Developers
To ensure development teams are producing safe and secure versions of open-source components in software projects, Owens offered 3 tips at the GDS Security Summit:
- Make sure you have an SDOC policy in place
- Ensure part of your staff is embedded in development to understand their process and how they work
- Empower developers by giving them tools and support to better understand the culture and take some control over their own destiny when it comes to being able to act securely at speed.
Simulation and Training
Equifax now has a better understanding of their business landscape and are using that to build out security policies that make sense. Bad actors are now using more “business style” type of attacks, mimicking activities that a CEO or a CFO would deploy to trick employees. Owens added the big challenge here is simulating those attacks, but the learnings from the simulations will help employees be better prepared.
Moving Forward After a Breach
Owens says after the 2017 attack they decided as a company to own it, learn from it, grow from it, and share with others. Owens added, “there’s tons of challenges, from acquiring certifications to rebuilding trust with customers, from dealing with the media aspect of going through this very large security incident but the focus for us was changing the culture of our company, you can’t go back in time and change what happened, but you can change your attitude. We put good policies in place, putting culture first and foremost, not being ashamed with what happened and not just focus on prevention but take the time to talk about what’s going to happen during the attack and most importantly what’s going to happen afterwards. I think as a community we can be resilient in understanding that these are challenges that we all face and the more we’re willing to share with each other about those challenges the better off we all will be.”
Conclusion
The BISO from Equifax offered that all organizations who suffer a breach need to work with the security community collectively to make every organization stronger, “when one of us is attacked we all feel the pain of that, when we collectively come together to stop attacks, we all get better.”
GDS Summits are tailored 3-day virtual event conferences that bring together business leaders and solution providers to accelerate sales cycles, industry conversations and outcomes. Regarding the Security Digital Summits 88% of Solution Providers said the overall experience of the Digital Summit they attended was Above Average or Excellent and 88% of Solution Providers said they would be interested in sponsoring future events.
For more, click here to hear from attendees on how GDS has helped them to achieve their business outcomes.
Continue the debate at GDS’ Security Digital Summits where we bring together senior security executives who are actively seeking to share, learn, engage, and find the best solutions.