The Smokey the Bear wildfire prevention campaign began in 1944 and its message of wildfire prevention remains as relevant and urgent today as it was in 1944. Just ask any American living in wildfire prone states. Smokey asserted in 1944, “Care Will Prevent 9 out of 10 Forest Fires." And although the message evolved it became very direct with, "Remember... Only YOU Can Prevent Forest Fires." Perhaps it’s time to unleash “Cyber Smokey” or perhaps a “Cy-key” (pronounced as “Psyhce”) with an equally direct message of, “Remember… YOU need to play your role to Prevent Data Breach.”
Today there are 146 Million, mostly Americans, wishing a “Cy-key” message reached enterprises who hold customer data in a precarious security state. What happened at Equifax may indeed be a seminal moment in the history of cybersecurity. To think the resignation of senior executives (CEO, CSO, CFO) is due in a large part to their failure to enforce reliable and demonstrable patch management and timely deployment of vulnerability in their Cyber- ecosystems , should be a strong message to others in similar positions and enterprise organizations.
THE EQUIFAX DEBACLE
Cases like Equifax have also left many experts still searching for a reasonable explanation as to why enterprises have not learned their lesson in one of the most basic hygiene of cyber security after Wannacry ransomware. An effective enterprise wide patch management could have possibly saved FedEx/TNT Global and Maersk $300 Million in post ransomware infection bills and the jobs of C-suiters at Equifax.
Beyond technical and procedural efficiencies , the fallout and subsequent mishandling of the Equifax data breach illustrates a low point and a mass betrayal of trust. In many cases the customers were not informed nor did they understand that their financial institutions had sent their information to Equifax. It came as a surprise to many people when all their data was stolen from a company they had no idea they had a relationship with. This called attention to Breach detection and notifications.
ORGANIZATIONAL DUE DILIGENCE
What is so pertinent to the discussion of vulnerability management is how it is now linked to evidence of organizational due diligence in the protection of customer personally identifiable information (PII). It’s not hard to “see” this vulnerability management issue at Equifax from a legal perspective. The legal perspective is currently being “seen” and investigated by many state attorney generals and federal agencies; also due to the actions of Equifax senior executives, a criminal investigation is underway headed by the FBI. Subpoenas and indictments will grab headlines for weeks and months ahead.
Powerful words are used in legal actions; the potential of sanctions or worse evolve from those legal actions. To think the legal issues unfolding stem from an unpatched system vulnerability which evolved into the “patient zero” of the Equifax data breach is deeply troubling and should resonate with executive boards and company officers. It would seem a failure of vulnerability management, for an organization has the power to plunge the business into crisis and cause extreme scrutiny of the business operations from regulatory authorities and in the most egregious of circumstances, criminal investigators.
DUTY OF CARE
If technical requirements like vulnerability management has now become linked with and evidence of a company exercising a “Duty of Care”, then a failure of the “Duty of Care” unleashes difficult questions. These questions may evolve into a regulatory investigation, deposition or even litigation, as the goal will be to find the company negligent in its protection of customer data and may culminate in a global adaptation of the stringent regulations like European Union’s GDPR (General Data Protection Regulation); a finding of negligence usually has the most severe penalties attached. Fortunately, a finding of negligence is not immediate and many circumstances and opinion must be considered. Certainly, prevention of the “Spark of the Data Breach Fire” is the most prudent course of action, as there is no potential of a regulatory inferno if extinguished early.