What we learned this week from the news is that, even after that catastrophic breach that Equifax had where the credit histories and records of over 145 million Americans were exposed to attackers, the entire board was re-elected. Let’s sharpen that a bit – they were re-elected by shareholders after recommendations against that course of action by two different proxy advisers as cited by Bloomberg. So to recap, after one of the worst worst-case scenarios ever, there are virtually no consequences.
Revisiting Breach Assumptions
This article isn’t about judging Equifax and what they did or didn’t do right. I make it a point of not attacking victims. This post is about the bigger picture, and frankly asking the right question. The real question – after all the public outcry and congressional testimony – is, “What’s going on?”
I’ve been thinking about this because at one point I was seriously expecting news coverage of an angry mob with pitchforks and torches to show up at Equifax corporate headquarters. The news was brutal. Commentary from “security experts” was worse. Congress called their CEO before an inquiry panel and grilled him.
Then nothing happened. Literally, nothing happened.
After the Sony breach many of my peers thought – this is it, Sony’s finished. Wrong. Now after the Equifax breach, those same peers and more all cried – this is it, Equifax is finished. Wrong again. If you’re wondering what it’s going to take to really have a massive negative impact on an organization after a massive data breach – you’re not alone. The reality is even I’m a little bit uneasy with how quickly this one faded away with absolutely no negative consequences.
So I’ve thought about this and spent significant time trying to understand what’s going on. Unfortunately, the best answer I’ve come up with is that I don’t know. This feels like a confluence of confusion, lack of understanding, and apathy. People just aren’t feeling the pain in large quantities. Identity theft is rampant, or so I hear, but it’s not impacting enough people where they can point to the Equifax incident or any other breach as the definitive cause.
A System Severely Bent But Not Broken?
It feels like things are absolutely broken, but broken to just that point where the system can tolerate it. We have zero fraud liability as a standard on most financial services accounts (credit cards, savings, checking, etc.), and identity theft protection is something we’re mostly used to having. Credit card companies are getting amazingly good at detecting fraudulent transactions. The system is resilient. Scary levels of resilient.
So while I can’t explain the quirks of our system, or why I think it tolerates breaches so well… it hasn’t fallen over in the cavalcade of worst-case scenarios we’ve had over the last few years. What is that telling us? I have some ideas, as you’d expect, for security professionals…
- Stop selling FUD, because in the worst worst-case the world didn’t explode.
- Loss of reputation, as a reason for spending money, is probably not the big stick you’re looking for to get your point taken.
- Proportionality matters. Remember that there are consequences, and real people’s privacy and safety could be on the line, but act proportionately to precedent.
- Adjust your risk models accordingly. IE – What is our new definition of “worst case”?
Good luck out there. If you have answers, or at least a better insight, I would love to hear it. Keep the conversation going at the bottom of this article. Or I’m @Wh1t3Rabbit on Twitter, and I enjoy a good haggle.
Cited Article: Equifax Shareholders Re-Elect Board Members in Wake of Breach by Jennifer Surane and Anders Melin May 3, 2018, 9:06 AM CDT
Rafal Los serves as the VP of Solution Strategy at Armor. He’s responsible for leading the various technical functions associated with designing, developing and delivering next-generation cloud security-as-a-service solutions to our clients. Rafal is also the Founder & Producer of the Down the Security Rabbithole Podcast. He previously worked as the Managing Director, Solution & Program Insight at Optiv Inc.; Principal, Strategy Security Services at HP Enterprise Security Services; and Senior Security Strategist at HP Software.
As an IT security professional, Rafal gained experience in some of the world’s most challenging business environments. His responsibilities included budgets, risk analysis, process creating and adoption, internal audit and compliance strategies. His professional experience has taken him from budding “.com” companies, to a security boutique shop, to one of the world’s largest and most complex enterprises – always meeting challenges head-on and with a positive attitude. He has been the catalyst for change in many organizations, building bridges across enterprises and developing permanent successful strategies for growth and prosperity.breach identity los opinion