As I watch the Equifax scandal unfold, it becomes clear to me that many are at a loss of what to do, or even how to think about this data breach. The first reaction people have is centered on if they, their friends, or family were personally impacted. Rightfully so. For some advice on what you can do to protect your identity, read my recent blog, Equifax Data Breach: How to Protect Yourself.
In addition to the personal reaction, however, I would call on all employers to consider how this breach, and future breaches, could affect their business. Contrary to popular belief, the answer to avoiding the consequences of this breach have nothing to do with technology. The weakest links right now are people, processes, and procedures. First and foremost, your business is comprised of people—people who have access to sensitive information from bank accounts to what gets published on your website—people whose identity is now at risk of being stolen.
Hackers will always go for the lowest hanging fruit with the most bang for their buck. Finding weaknesses in a corporation’s technology is time consuming. But with the information gained from the Equifax hack, it is now exponentially easier for identity thieves to impersonate those with access to sensitive information and authorize fraudulent actions that could do immense damage to your company, from both a financial and reputational perspective.
The answer to protecting your company from these damages is actually quite simple, and will cost you absolutely nothing. You have to rewrite your processes, or playbooks if you will, of how you protect your employees and authenticate sensitive activities both internally and through your third-party vendors.
Playbook One: Take care of your employees
The first step is to take care of your employees. With 143 million U.S. consumers affected by this hack, the chances are about half of your employee base is affected.
The sheer awareness of this data breach and its extreme potential consequences are enough to induce a great deal of anxiety in your employees and reduce productivity a great deal. Ultimately, the only way you can ensure that your business is running smoothly, and that your customers are getting the service they deserve, is to alleviate your employees’ anxiety.
The best way to do this is to educate them on what this breach means for them, and what they can do to protect themselves. Direct them to articles outlining the difference between credit monitoring, fraud alerts, and credit freezes. Give them recommendations on which option is best and the next steps to pursuing that option.
Another way to alleviate your employees’ anxiety is to encourage them to get identity restoration support, or better yet, offer it to them through the company. Knowing that even if they are victims of identity theft, they’re covered provides a huge sense of relief.
I have already written this playbook outlining what American consumers should be doing to protect themselves after this breach. Feel free to read the article here.
The benefits of writing this playbook are manifold. Your employees will feel safe and secure enough to focus on their work. Taking demonstrable steps to help your employees protect themselves and their families will also improve company culture and inspire your employees to look out for your best interests in return.
Playbook Two: Change Internal Authentication Procedures
The next step is to change how sensitive requests and actions are authenticated internally. With a flood of SSNs, birthdates, drivers’ licenses, addresses, and names now on the marker, it’s no longer effective or prudent to authorize these actions based on this information.
Banks have gotten better at rewriting this playbook. You may have noticed that in recent years, banks have switched from asking you questions found in the public domain, to questions only you would know. For example, asking what your first car was isn’t as effective as asking you what your favorite color is because the former can easily be found by identity criminals, while the latter cannot.
Although most companies have been gearing up for years for digital hacking prevention, fewer resources have been put into employee identity theft vulnerabilities. The truth is, if verbal authentication is based on information breached by Equifax, any impersonated employee can have their accounts manipulated, addresses changed, and passwords reset and sent, which bypasses all of your existing digital controls of two-factor authentication and other defenses.
Every company in every industry should be reviewing and changing internal controls to an authorization process that does not involve information that can be found in the public domain, like favorite animal, best friend’s name, first pet’s name, etc.
For example, if you have sensitive equipment or restricted areas at your facilities, how will you prevent identity thieves from impersonating employees to gain access? How do you know you are not authorizing a breach of your data by an impersonated partner or employee authorizing access for change of password assistance or other activities? Your employees’ information is now likely for sale, and the buyers may not only be interested in direct credit card theft, but business espionage, terrorism, and competitor actions, as well.
Playbook Three: Change Third-Party Authentication Procedures
Once you have rewritten your internal authentication processes, you must make sure that all third-party vendors are dealt with similarly. Today, every company is outsourcing one process or another. The fact is, these vendors are dealing with sensitive information and processes that could have an immense impact on your company. As I often say, you can outsource the process, but you can never outsource the risk.
For example, although most companies process payroll electronically, what is there to prevent a phone call to your payroll provider to make administration changes? What information is used to authenticate payroll distributions if provided verbally? There must be a phone protocol that does not rely on information that can be impersonated.
Every company has different impersonation/identity theft risks, but there are some universal questions each company should ask of themselves:
- Who are the key control personnel with security clearances and access to sensitive information?
- What would be the impact if their personal identities were compromised by third parties and used in the workplace against the company?
- What information do you depend upon to authenticate verbally with your third-party vendors like datacenters that manage your customer’s sensitive data to issue new ID cards, entrance badges or changing personnel records?
- Have you updated your vendor forms for collecting information and data privacy consents including photographic images?
- How will you conduct due diligence on your key suppliers performing a rewrite of their internal control procedures described above?
- How will you monitor their compliance with your new policies and procedures?
The Equifax data breach has redefined operational risk and is a point of no return for enterprise risk management, as every corporation will need to develop an ERM program that can help them answer these questions. For more on the business implications of the Equifax data breach, read my blog Equifax Data Breach: The Point of No Return.
Fortunately, if all authentication processes internally rely on information not found in the public domain, and if all authentication processes of third parties rely on information not found in the public domain, then all of your bases are covered, and you have dramatically reduced the risk of suffering the consequences of identity impersonation.
Tips for rewriting these playbooks
At first glance, rewriting all of your authentication procedures seems a daunting and even impossible task. But in fact, enterprise risk management at its core is designed to achieve this exact goal in a timely and cost-effective manner.
- The first step is to perform risk assessments. Every company is different and there’s no cookie-cutter way to prepare for the risks of a data breach or identity impersonation. The best way to rewrite these playbooks in a way that best supports your company is to perform risk assessments. Risk assessments will tell you which personnel, processes, policies, and technology need to be taken care of first.
- While you need to take care of all of your employees, it might be overwhelming to do this all at once. Therefore, you may choose to determine which employees are most critical from a security perspective and what the impact would be if they were to be impersonated, and take care of these employees first.
- The same goes for your authentication processes. It would be overwhelming to rewrite all process, control, and policy combinations at once, so it’s important to determine the processes and controls that would have the most impact on your company if compromised in order to allocate your time and resources effectively.
- Remember to repeat steps 1, 2, and 3 above for your third-party partners and customers. Since there are so many vendors and so many internal and external relationship owners, a risk assessment will quickly identify which vendors are higher risk than others for any process, department or function.
- Document the steps you are taking to protect your company. This way, if a breach occurs, you will be able to prove to regulators that you were aware of the risk and were doing everything you could to mitigate it. In turn, you will be protected from punitive damages and lawsuits due to negligence.
To help get you started, download a copy of our eBook 5 Steps for Better Risk Assessments, or download our free risk assessment template for excel.
Comments
Information Segmentation: why should one computer vulnerabilty breach nearly every record a firm has?
Ship builders over time came to the conclusion that a ships hull should have water tight segments in it. Even though a ship should be designed to have a hull that does not leak, plans for addressing a leak should be implemented just the same. The idea being that with such compartments even gashes in the side of a ship flooding faster than a water pump could remove that flow could only flood part of a ship and a second chance to limp back for repairs is gained.
Where would Equifax be if it had Information Segmentation -- water tight compartments -- limiting the amount of data from leaking? Perhaps it might not have discovered the trivial password for Java Struts put in to production in time. Arguably a seasoned captain would be able to detect that vulnerabilities known to exist for 10 years or more should be hardened against normally. But, suppose we simply take the view that water will find the leaky spot even if tomorrow it is not trivial passwords. What cannot be prevented, needs to be detected. After that, the foot race to fix it faster than new losses can arrive begins. Do I have a data leak? Can I shrink the amount of available data to loose; like water pumps? Is there a hard limit to the total online data I can loose; water tight compartments?
The SEC has proposed that 60% of firms experience bankruptcy within 6 months of a breach. This number seems to more cleanly apply to small to midsize firms as often larger firms have the financial means to weather the storm. Bigger ships take a bigger hit to sink. Suppose Equifax can survive the storm. Suppose that identify information results in cash losses to Equifax near $3.33/identity and $3.14/credit_card. Equifax survives a cash loss near 477 million USD due to this breach. Equifax's Net Income in 2016 was 495 million. If it were a smaller firm, did not have Cyber Insurance or a full time legal staff to help them reduce their lossed over time, perhaps a two year lawsuit period followed by structured payments, then Equifax would be in considerable trouble.
Information Segmentation: why should one computer vulnerabilty breach nearly every record a firm has?
Ship builders over time came to the conclusion that a ships hull should have water tight segments in it. Even though a ship should be designed to have a hull that does not leak, plans for addressing a leak should be implemented just the same. The idea being that with such compartments even gashes in the side of a ship flooding faster than a water pump could remove that flow could only flood part of a ship and a second chance to limp back for repairs is gained.
Where would Equifax be if it had Information Segmentation -- water tight compartments -- limiting the amount of data from leaking? Perhaps it might not have discovered the trivial password for Java Struts put in to production in time. Arguably a seasoned captain would be able to detect that vulnerabilities known to exist for 10 years or more should be hardened against normally. But, suppose we simply take the view that water will find the leaky spot even if tomorrow it is not trivial passwords. What cannot be prevented, needs to be detected. After that, the foot race to fix it faster than new losses can arrive begins. Do I have a data leak? Can I shrink the amount of available data to loose; like water pumps? Is there a hard limit to the total online data I can loose; water tight compartments?
The SEC has proposed that 60% of firms experience bankruptcy within 6 months of a breach. This number seems to more cleanly apply to small to midsize firms as often larger firms have the financial means to weather the storm. Bigger ships take a bigger hit to sink. Suppose Equifax can survive the storm. Suppose that identify information results in cash losses to Equifax near $3.33/identity and $3.14/credit_card. Equifax survives a cash loss near 477 million USD due to this breach. Equifax's Net Income in 2016 was 495 million. If it were a smaller firm, did not have Cyber Insurance or a full time legal staff to help them reduce their lossed over time, perhaps a two year lawsuit period followed by structured payments, then Equifax would be in considerable trouble.