Following TFT’s coverage of the March 7 U.S. Senate hearing on the “devastating data breach” experienced by Equifax in 2017, we asked Steffen Sorrell, Principal Analyst at Juniper Research for his insights.
Do you think that the “cultural indifference” cited by Sen. Tom Carper (in his subcommittee report on the subject) is a fair assessment of Equifax’s security provisions? If so, how widespread do you think such an attitude is elsewhere in the sector?
“The ‘cultural indifference’ refers to the persistent perception of security as a cost centre as opposed to something that is valuable to the bottom line. Although this perception is now slowly changing, it remains
widespread. The failure to ensure that proper security processes and architecture were implemented at Equifax highlights that even large companies in ‘high risk’ environments have not properly considered security by design principles in terms of risk assessment and consequent mitigation measures.”
What changes need to be made by companies handling huge amounts of data in order that such breaches can be prevented?
“The main issue is that proper security implementation is generally an expensive undertaking, involving a risk assessment, layered solutions, architecture design, penetration testing and so on. The reality is that, particularly as the Internet of Things becomes more widespread and society becomes increasingly digitised, a reputation as a secure business will be a differentiation point and will pay itself back over time.
The failure to ensure that proper security processes and architecture were implemented at Equifax highlights that even large companies in ‘high risk’ environments have not properly considered security by design principles
Unfortunately, breaches cannot be prevented, no matter how good the security; particularly where a well-funded and persistent attacker is involved. There will always be potential weak points in the chain: often these are company employees themselves, who are susceptible to social engineering. Therefore, companies in high risk environments must build security around the assumption that a breach will occur: this means applying mitigation measures to reduce risk. Data encryption at all stages, network segmentation, ‘zero trust’ models and robust implementation of process management for updates, patches and so on are critical here.”