Article | September 29, 2017

Why Organizations Should Reevaluate Their Cybersecurity Initiatives Following The Equifax Security Breach

Source: VDC Research

By Nick Elia, research associate, enterprise mobility and connected devices, VDC Research

Cybersecurity

Equifax, a major credit reporting agency, announced in the beginning of September that hackers had gained access to company data that included Social Security numbers, driver’s license numbers, addresses, and other sensitive data for approximately 143 million people in the United States, and about 44 million people in Canada and the U.K. This was recorded as one of the largest cyberattacks against one of the big three credit agencies and is the third cybersecurity threat Equifax has encountered since 2015. An astonishing 50 percent of people within the U.S. were most likely affected by this breach, and practically anyone who has a credit report or has ran one in the past year most likely falls under this category.

According to an investigation done by Equifax and independent security consultants, hackers had been gaining access to the company’s system since about May of 2017 and were able to retrieve credit card numbers for 209,000 consumers and documents with personal information used in disputes for about 182,000 people. Equifax claims that they had not discovered the breach until July 29th once the majority of data had already been taken. Subsequently, Equifax waited another month to report the breach and the news was made public on September 7th. Since the security breaches started occurring in 2015, many cybersecurity professionals have questioned the ability of Equifax to improve its security practices and layers of infrastructure to ensure their consumers are being protected from any type of identity theft. Moving forward Equifax should have multiple layers of control so that if hackers do gain access to sensitive data, they can monitor this and stop them from doing any further damage or accessing additional data. To make things worse for Equifax three senior executives, the CFO, President of U.S. Information Solutions, and President of Workforce Solutions all sold shares worth almost $1.8 million before the security breach was announced to the public. They sold their shares in the beginning of August, and claimed they had no prior knowledge of the breach before selling these shares.

In efforts to do damage control since the breach occurred Equifax has created a website to help customers determine if their data is at risk, and will be offering a free year of credit monitoring for customers who were affected by the incident. While this free year of credit monitoring certainly has value for customers and will alert them of possible intrusions, it doesn’t necessarily mean that they are fully protected from identity theft and from a long term perspective hackers could still have access to this type of data in years to come. For customers who don’t want to utilize the free year of credit monitoring and are still concerned that their identity is at risk, filing a credit freeze would be the best move of action. A credit freeze essentially blocks creditors from seeing your credit rating but it also prevents hackers from opening new lines of credit in your name. There is usually a small fee involved with the process that ranges from $0-$15 per bureau and the freeze will still allow customers to use existing lines of credit. When customers want to open new lines of credit but they have a freeze in place, it just requires them to thaw their credit file which usually takes about 24 hours but sometimes longer depending on the situation.

Cyber Security Survey Insights
The latest security breach by Equifax has raised serious questions about the types of measures organizations are taking to ensure that sensitive data and information is protected from cyberattacks. In a 2017 VDC survey, 21.4 percent of respondents stated that their organization had been the victim of a data breach or cyberattack which was an astonishingly high percentage. Organizations are becoming increasingly vulnerable to these types of attacks given the vast amount of sensitive data they have to manage/control, and as seen in the exhibit below the top three greatest vulnerabilities for cyberattacks among organizations was remote access and mobile devices, connected devices, and networks.

Organization's greatest vulnerabilities for cyberattacks

Moving forward organizations that deal with highly sensitive data and information need to reevaluate their cybersecurity initiatives and identify specific areas where security can be improved. Often times implementing company-wide cybersecurity initiatives can be very difficult for a variety of different reasons. In the same survey 22 percent of respondents cited that “Too many emerging and new threats” was the greatest difficulty in implementing cybersecurity while 10.6 percent of respondents cited the greatest difficulty being the lack of appropriate cybersecurity personnel. Both of these are huge barriers to implementing security initiatives within an organization, but it ultimately comes down to a number of different barriers that are illustrated in the exhibit below as well as whether or not these organizations are willing to invest a significant amount of money up front to create and sustain these initiatives.

Organizations greatest difficulty implementing cybersecurity initiatives

For cybersecurity survey data broken down by key verticals stay tuned for VDC’s 2017 buyer behavior dataset which includes verticals such as Field Service, Healthcare, Warehousing, Manufacturing, Retail, Transportation, and Direct Store Delivery.  

View the 2017 Enterprise Mobility & Connected Devices Research Outline to learn more.