In nearly 20 years of working in the IT security industry, I’ve helped hundreds of companies build and mature their security programs. With some notable exceptions, when my team comes in to help out, these programs range from ineffective to completely nonexistent. In many cases, there are too few security personnel trying to do too much with too little support. My guess is that might have been the case at Equifax the past few years; not enough guards standing outside one of the world’s greatest treasure rooms of personal identity data.
If I’m being honest with myself, the only shocking aspect of the Equifax data breach is that it took this long for one of the big three credit bureaus to get compromised. Equifax CEO Rick Smith’s video apology to consumers emphasized that the threats to data security are “growing by the day” without focusing on their own failed efforts to secure U.S. consumers’ most sensitive data. He cited Equifax’s “significant investments in cyber security” without detailing any of their failures. His excuses ring hollow, especially in light of stock sales key Equifax executives made after the breach was discovered internally.
When it comes to U.S. consumers’ sensitive data, and breaches of that data, there are three main forces at play:
- Corporate America is ignoring its security obligations
- The federal government is unable to legislate regulatory protections for consumer data or to enforce existing regulations
- Consumers are not punishing corporations who lose their sensitive information
In the past decade, corporate America has made little progress toward better security:
- Security managers still report to technology executives, who view security as costly, disruptive, and less critical than operations
- Hackers are still the focus – not the data itself, nor the people managing it
- Senior executives are unaware of security risks or unwilling to take action
- Security budgets aren’t focused on training or supporting security personnel
- There’s little or no long-term strategic planning for security
The security landscape in regulated industries is cloudy in part because federal, state, and industry regulations don’t actually protect or secure sensitive data. And, they conflict with one another. What enforcement does occur for these regulations is largely symbolic.
Regulators and regulated companies continue to share a “checkbox” mentality about security – one that doesn’t examine the veracity, efficiency, completeness, or resilience of security controls. Said another way, it’s great you’ve got an encryption solution purchased – but have you deployed it to any laptops? Can you detail what sensitive data is on those encrypted laptops?
Compliance does not equal security, much like having a gym membership doesn’t mean you’re more fit.
The hard questions companies should be asking about their data aren’t contemplated by existing security frameworks: how to classify data, whether it needs to be stored, how long it should be kept, who should have access, how it’s backed up and archived, whether and how it’s encrypted, where it goes both in-network and in the Cloud, etc. Often the answers to these questions don’t exist because organizations don’t know where to start.
Meanwhile, consumers are enabling politicians and corporations to continue this quiet catastrophe of data breaches. TJX, the parent company of retailer T.J. Maxx, is responsible for the largest credit card data breach on record. In 2007, between 45 and 94 million credit card numbers were stolen from T.J. Maxx. It cost them roughly a quarter of a billion dollars in breach-related spending to set things right, but their stock price never really suffered over the past decade:
TJX has grown to be one of the largest and most profitable retailers in the world, ranked #87 on the Fortune 500 list with revenues in excess of $33 billion.
The same story has played out with other retailers (Home Depot, Target), healthcare players (Anthem, Tricare), tech giants (Yahoo!, EBay), media companies (Sony Pictures Entertainment), and financial services firms (JPMorgan Chase, Heartland Payment Systems, Citibank) who emerged basically unscathed from spectacular consumer data breaches.
I’m deeply cynical about the Equifax breach. It has probably been cheaper for them – one of the few companies controlling the most sensitive data available on virtually every U.S. citizen – to ignore, underspend, and underdeliver on security protections, hoping they don’t get compromised and don’t have to publicly disclose such failures.
I expect more and larger data breaches in the coming years. Whatever pretense of data privacy American consumers have insisted on, with regard to their personal identities, finances, and activities, is long gone and never to return.
I hold out hope that individuals companies can move the needle toward more mature security programs that place data governance and data control at the heart of their efforts. Instead of playing (and losing) an arms-race game with hackers and criminals, we should be pulling back, focused on the sensitive data assets that our businesses, economies, and lives depend on. Otherwise, we’re just doing the same old things and expecting different results.
Sean Steele is Co-Founder, Managing Partner, Technology & Professional Services at Infolock.