An enterprise’s breach notification procedures and vulnerability management programs, and need for real-time malware detection and protection, have come under increasing scrutiny in light of the disclosures of the Equifax data breach. As a result of the failure of Equifax to address a software vulnerability in a timely manner, a series of events began which culminated in regulatory, criminal and state attorney general investigations.

At the core of several of these investigations is a goal to establish a finding of negligence, so the most severe penalties can be inflicted upon the company as both punishment for alleged poor security and also as a dissuasive tactic directed at other businesses with less than robust protections of customer Personally Identifiable Information (PII), privacy information and financial information. Fortunately, the conclusion of negligence is not a forgone one. A number of tests exist, which require evidence, expert opinion and legal discussion.

  1. Duty of Care – Establishing the “Duty of Care” is the first part of determining what exactly the business is responsible for as it pertains to the protection of customer data. In most cases, the Duty of Care is established in a contractual and explicit way. Ultimately, it is through the contractual relationship, privacy policy, regulatory requirements and terms and conditions which define the businesses security responsibility. Cleary, the message here is if the business cannot protect the data it collects, it should probably not collect the data in the first place. When a data breach occurs, it is generally accepted the business is ultimately responsible for the security of its customers data. The data breach of Equifax is evidence of failure in the “Duty of Care”. Regulations like EU’s GDPR makes provision for  penalities up to 4% of global revenue for such negligence of duties impact privacy of data subjects.
  1. Secure by Design – Security as an afterthought  and retrofit  is not only expensive  but also reflects as poor business prudence in a economy driven by Electronic commerce and Data driven market decisions.  You are sharpening you axe  well  if you are designing your Business  process and cyber ecosystem based on Risk assessment  and Data Centric. Design aspects should cover the lifecycle of Information/data assests as well as the cyber infrastructure, policies and procedures.
  1. Foreseeability – This may be one of the easiest tests to establish; it’s reasonable to assume a business system connected to the Internet will suffer a security breach due to the capability and persistence of cybercriminals. Combined with the general dangers of interacting with websites and opening email and clicking on links, the statics indicate a high percentage of probability of a data breach. Given the large-scale breaches involving millions of user’s ids and passwords it’s likely (and hard to prove otherwise) there is considerable risk of something bad happening to the business systems. Not patching a system against a known vulnerability for witch an exploit is being used in active attacks against other companies presents the rather easy conclusion that Equifax failed to see this risk.   
  1. Standard of Care – This may be the more challenging test at this moment in time. With the exception of the Attorney General of California who has codified the CIS 20 Critical Controls as evidence of due diligence in protecting customer information, a defined standard of care is emerging. NIST, SANS, ISO, COBIT and other IT security frameworks all call for specific, scientifically tested strategies to maintain confidentiality, integrity and availability of information systems and data. Some specific advice has been provided by the White House in the wake of the OPM data breach, while other governments such as the UK Cybersecurity Essentials program and the Australian DSD 5 mitigations suggest best practices. In general, court recognized information security professionals, IT auditors and pen testers will determine if the failings are egregious or not. Not patching a vulnerability under active exploit or not changing default passwords are excellent examples of failing the standard of care test under any security scheme. Given this, it is hard for one not to conclude that Equifax’s failure to patch the known vulnerability failed a standard of care. 
  1.  Harm – It may seem that harm is a forgone conclusion if there has been a failure of the above three tests. That’s not necessarily the case. Demonstrating harm, financial or otherwise, becomes problematic when a security breach occurs; it may take weeks or months before cybercriminals commit identity fraud, file a fraudulent insurance claim, or leverage the stolen identities in an illegal way.

Also ReadWhere Fire Department Data Breach Fire

One of the tests used is to ask the question: Is it reasonable the information which was lost or stolen could do harm to an individual and if so how much harm? Clearly, the loss of credit card or banking information may be leveraged for immediate financial gain by cybercriminals – however, credit cards and bank account numbers are relatively easy to replace. Information such as credit history, medical or taxation information becomes far more problematic as names, dates of birth and addresses are much harder to change – if not impossible.

A finding of negligence is a result of failing any of the  four of the tests: ignoring the explicit items you defined as your businesses responsibility, dismissing the likelihood of a security incident on an Internet connected machine, failing to implement a security best-practice in an egregious manner and identifying the potential of tangible harm to the victim, customer or business. A finding of this nature will not end well for your business or your customers.

THE UNWRITTEN RULES :

  • Well-informed Management Team:

As harsh as the  analysis may be,  a basic understanding of the responsibilities of executive oversite is not a frivolous exercise – engagement by the C-suite can make the difference between catastrophic loss or business as usual. When vulnerabilities are actively being exploited and million and billion dollar companies are falling victim, C-suite direction for rapid response is the best risk mitigation tactic. Anything less than rapidly responding to a Zero-day threat makes it easy for the bad guys to impact your company’s operations.

  • Operational Challenges:

Complexitities  in operations, large of the end nodes, diversity in hosted (data centers, Cloud, VMs, etc), global presence, handoff between teams, ownership conflicts are the inherit factor of any business operation and, hence, this situation warrants that human error are reduced by adaptation of the Orchestration and Automation supported by well defined Security Operation playbooks.

  • It Is OK To Ask For Help:

Simply put, the only reason you may feel the cybercriminals are winning, is because you have not called in experts to help you defend your business systems. Well known leadership coach Jesse Lyn Stone asserts, “Asking for help when you need it is a sign of strength, not weakness.” If you’re serious about protecting the customer information your business has and your team is struggling, it is time to bring in reinforcements.