In case you haven’t heard, last week credit reporting agency Equifax revealed that it incurred a massive data breach over the summer that compromised more than 143 million people.
But while most news outlets are focused on what consumers can do to make sure their information is secure, we thought we’d take a look at the mistakes Equifax made and what corporate treasury and finance professionals could learn from them.
Potential government action
Security professionals criticized Equifax for not tightening up its security after two previous incidents, both of which saw W-2 tax and salary data get stolen. Avivah Litan, fraud analyst for Gartner, said that the company should have had “multiple layers of controls” in place so that if hackers managed to get in, they would be stopped before doing too much damage.
But Equifax did the opposite; instead of tying up loose ends, it apparently did very little to secure its access points. “This was a fairly easily hackable system; it was a low-end security violation,” said Sen. Mark Warner (D-Va.), co-founder of the Senate Cybersecurity Caucus, in an interview with CNBC.
Going forward, companies that store personal information may be forced to implement stronger controls—if they are still permitted to hold that information at all. Sen. Warner indicated that Congress may need to create a “uniform data breach notification standard” and rethink data protection policies so that organizations like Equifax “have fewer incentives to collect large, centralized sets of highly sensitive data” on Americans.
Unfortunately, even if Equifax secures all of its channels this time around, we can probably expect more attacks of this nature in the future. “These credit reporting agencies are basically the Manhattan Project of identity theft, and Soviet intelligence was all over the Manhattan Project,” said Seth Stoppelmoor, MCSE, CNE, CCNA, director of technology at AFP. “I think that a breach every few years is probably almost inevitable. They probably need to think more about damage control than preventing attacks.”
What finance professionals can learn from Equifax
First, if your organization has been hacked don’t wait to address the weak link, and any other weak spots you find, before you get hit again. When it comes to treasury systems in particular, having a consistent set of controls is absolutely critical.
“Whether it’s your treasury system, your ERP or your FX trading portal, a consistent set of controls need to be utilized, rather than every system having a different way of logging in—some of which pass the IT sniff test and some that do not,” said Bob Stark, vice president of strategy for Kyriba, in an upcoming AFP Treasury in Practice Guide on payments fraud. “That’s one thing you have to get right and if you don’t, you’re allowing your systems to be potentially penetrated.”
Next, meet with your employees and make sure everyone is on the same page with your organization’s cybersecurity protocols. As Brad Deflin, president and founder of Total Digital Security, explained at last year’s AFP Annual Conference, companies need to partner with their employees and make them understand that they need to exercise caution wherever they are using a device—not just in the office.
“The Equifax breach reminds us again; cyberrisk is an existential risk,” Deflin told AFP. “The massive breach is an opportunity for governance committees, EAPs, and risk management departments to provide ‘boardroom-to-the-breakroom’ workshops and employee education programs that will drive an understanding of this axiom for the benefit of their personal and professional lives, and in turn drive greater awareness and adaptation across the enterprise.”
A tried-and-true practice for reinforcing cybersecurity protocols is mandating that your employees complete a cybersecurity training program on their own, and then sending them simulated phishing attacks afterward. AFP has applied this method and has had great success. “I don’t expect the training that we’re doing to be perfect, but it’s helped us a lot,” said Stoppelmoor. “I’m amazed at the level to which people are aware of what they’re clicking on now.
Nevertheless, employees always need to be vigilant. One mistake makes all the training and controls irrelevant. “Human nature is still the most vulnerable part of IT security; even the most diligent employee can have a bad day or get distracted and click on a link. If it’s a zero-day threat, they’re in,” Stoppelmoor said. “A company the size of Equifax has many layers of protection, and they’re still vulnerable to their least cautious employee.”