Equifax Should Change How You Think About Incident Response

“Collaborative harmony” likely isn’t the first thing that comes to mind when wrapping your head around Equifax’s 2017 cybersecurity breach. This month, the consumer credit reporting agency says its security failings exposed 2.4 million more Americans’ names, social security numbers and driver’s license numbers than the estimated 145.5 million we knew about last year. It’s potentially the most threatening data breach in American history.

As a recent piece in CSO Online reports: “Those who hoped that the US Securities Exchange Commission would impose tougher rules (and consequences for breaking them) around reporting breaches will be disappointed.” Although the SEC’s newest set of recommendations for cybersecurity risks released in February says companies must disclose risk, there isn’t language in the current guidelines saying what happens when a company fails to meet these regulations.

But some good may come of it. The Equifax breach’s obvious downside is that millions of people had their identities compromised and are still dealing with the uncertainty and ulcers that come with that, but the upshot is that public outcry will undoubtedly mandate changes in the law requiring punishments be named. SEC Chairman Jay Clayton released a statement in late February estimating we may even see yet more SEC guidelines (in addition to last month’s) implemented this year – even though criminal prosecution of the company or any of its executives is still unlikely.

In the meantime, companies need to step up without regulatory prompting to improve operational resilience through a more collaborative incident response process. As Ernest Badway, co-chair of the securities industry practice at Fox Rothschild LLP told CSO Online, “All [the guidelines] say is that everyone knows it’s important to have policies, procedures, and a plan in place for when something’s going wrong, and that people shouldn’t be trading on information if they know it’s been a hack… There’s no bite.”

Rather than wait to be bitten by the law or hackers, there’s the opportunity to use these scandals as a wake-up call for more collaboration inside your company and across teams. Security and risk management leaders overseeing information security should establish and agree to a common framework for setting incident response priorities based upon business impact by aligning response priorities to business objectives. You should create an agreed-upon operating model between teams throughout the incident response process, with transparent collaboration emphasized throughout.

If you have been attacked, determine the resources that should be used in the incident response process that can be shared by security, infrastructure and operations teams. You should use the post-incident phase to evaluate what worked well and where improvements can be made. For example, your incident response process should go beyond simply securing the perimeter, since the lifeblood of the modern enterprise is corporate data. Your intellectual property makes up 80 percent of your company’s value. This data flows in and out of your organization, so develop a “data-centric” incident response approach that sees and secures every version of every file on corporate endpoints.

If you don’t have an incident response protocol in place, the worst time to try to put one in place is after a breach when you’re busy investigating and also restoring the availability of key systems and services for business users. With a data-centric incident response plan in place, security teams can focus on remediating the threat while IT keeps the business moving forward.

Although there aren’t yet dire regulatory consequences for these breaches, there’s also no penalty for working well with others. In an age where infosecurity breaches are only becoming more common and sophisticated, there’s no better leg up on the competition than to be prepared.

Forrester Business Technology Resiliency Matters More Than Ever

Leave a Reply

Your email address will not be published. Required fields are marked *