As I watch the Equifax scandal unfold, it becomes clear to me that many are at a loss of what to do, or even how to think about this data breach. The first reaction people have is centered on if they, their friends, or family were personally impacted. Rightfully so. For some advice on what you can do to protect your identity, read my recent blog, Equifax Data Breach: How to Protect Yourself.
In addition to the personal reaction, however, I would call on all employers to consider how this breach, and future breaches, could affect their business. Contrary to popular belief, the answer to avoiding the consequences of this breach have nothing to do with technology. The weakest links right now are people, processes, and procedures. First and foremost, your business is comprised of people—people who have access to sensitive information from bank accounts to what gets published on your website—people whose identity is now at risk of being stolen.
Hackers will always go for the lowest hanging fruit with the most bang for their buck. Finding weaknesses in a corporation’s technology is time consuming. But with the information gained from the Equifax hack, it is now exponentially easier for identity thieves to impersonate those with access to sensitive information and authorize fraudulent actions that could do immense damage to your company, from both a financial and reputational perspective.
The answer to protecting your company from these damages is actually quite simple, and will cost you absolutely nothing. You have to rewrite your processes, or playbooks if you will, of how you protect your employees and authenticate sensitive activities both internally and through your third-party vendors.
Playbook One: Take care of your employees
The first step is to take care of your employees. With 143 million U.S. consumers affected by this hack, the chances are about half of your employee base is affected.
The sheer awareness of this data breach and its extreme potential consequences are enough to induce a great deal of anxiety in your employees and reduce productivity a great deal. Ultimately, the only way you can ensure that your business is running smoothly, and that your customers are getting the service they deserve, is to alleviate your employees’ anxiety.
The best way to do this is to educate them on what this breach means for them, and what they can do to protect themselves. Direct them to articles outlining the difference between credit monitoring, fraud alerts, and credit freezes. Give them recommendations on which option is best and the next steps to pursuing that option.
Another way to alleviate your employees’ anxiety is to encourage them to get identity restoration support, or better yet, offer it to them through the company. Knowing that even if they are victims of identity theft, they’re covered provides a huge sense of relief.
I have already written this playbook outlining what American consumers should be doing to protect themselves after this breach. Feel free to read the article here.
The benefits of writing this playbook are manifold. Your employees will feel safe and secure enough to focus on their work. Taking demonstrable steps to help your employees protect themselves and their families will also improve company culture and inspire your employees to look out for your best interests in return.
The next step is to change how sensitive requests and actions are authenticated internally. With a flood of SSNs, birthdates, drivers’ licenses, addresses, and names now on the marker, it’s no longer effective or prudent to authorize these actions based on this information.
Banks have gotten better at rewriting this playbook. You may have noticed that in recent years, banks have switched from asking you questions found in the public domain, to questions only you would know. For example, asking what your first car was isn’t as effective as asking you what your favorite color is because the former can easily be found by identity criminals, while the latter cannot.
Although most companies have been gearing up for years for digital hacking prevention, fewer resources have been put into employee identity theft vulnerabilities. The truth is, if verbal authentication is based on information breached by Equifax, any impersonated employee can have their accounts manipulated, addresses changed, and passwords reset and sent, which bypasses all of your existing digital controls of two-factor authentication and other defenses.
Every company in every industry should be reviewing and changing internal controls to an authorization process that does not involve information that can be found in the public domain, like favorite animal, best friend’s name, first pet’s name, etc.
For example, if you have sensitive equipment or restricted areas at your facilities, how will you prevent identity thieves from impersonating employees to gain access? How do you know you are not authorizing a breach of your data by an impersonated partner or employee authorizing access for change of password assistance or other activities? Your employees’ information is now likely for sale, and the buyers may not only be interested in direct credit card theft, but business espionage, terrorism, and competitor actions, as well.
Once you have rewritten your internal authentication processes, you must make sure that all third-party vendors are dealt with similarly. Today, every company is outsourcing one process or another. The fact is, these vendors are dealing with sensitive information and processes that could have an immense impact on your company. As I often say, you can outsource the process, but you can never outsource the risk.
For example, although most companies process payroll electronically, what is there to prevent a phone call to your payroll provider to make administration changes? What information is used to authenticate payroll distributions if provided verbally? There must be a phone protocol that does not rely on information that can be impersonated.
Every company has different impersonation/identity theft risks, but there are some universal questions each company should ask of themselves:
The Equifax data breach has redefined operational risk and is a point of no return for enterprise risk management, as every corporation will need to develop an ERM program that can help them answer these questions. For more on the business implications of the Equifax data breach, read my blog Equifax Data Breach: The Point of No Return.
Fortunately, if all authentication processes internally rely on information not found in the public domain, and if all authentication processes of third parties rely on information not found in the public domain, then all of your bases are covered, and you have dramatically reduced the risk of suffering the consequences of identity impersonation.
At first glance, rewriting all of your authentication procedures seems a daunting and even impossible task. But in fact, enterprise risk management at its core is designed to achieve this exact goal in a timely and cost-effective manner.