Could a strong second Line of defense have mitigated Equifax’s damage?
The recent Equifax data breach was one of the largest digital disasters ever. An unknown group successfully breached Equifax’s online services firewall, through a known system flaw that was scheduled to be corrected and stole personally identifiable data – names, addresses, social security numbers – for 143 million Americans and potentially 44 million people in the UK. This stolen information may seriously affect the privacy of millions of individuals, companies, and government for years to come. The mitigation and clean-up of this cybercrime could cost billions.
All companies, organizations, governments, and agencies have technical debt, which immediately begins to accrue following the installation of new and complex IT systems. As the IT system ages, a multiplicity of factors causes the technical debt – hardware and software obsolesce; the business requirements become more convoluted; new technologies bolted onto old technologies; key staff come and go affecting corporate IT knowledge, and the bad guys continually try to stay one step ahead of IT security. If the IT department is not security paranoid, then the probability of a data breach increases dramatically.
The major issue that the Equifax breach has cast a spotlight on is system breaches are inevitable. While we agree that stopping the violation in the first place is the first line of defense, the second line of defense is ensuring that the data isn’t usable by the hackers. For this second line of defense, the CIO will need to;
- De-couple the data from the underlying IT infrastructure,
- Introduce mechanisms to impose, maintain and monitor different levels of data security through obfuscation, encryption, deconstruction, and geo-distribution of the data, based on the data stored and the corporate governance and regulatory compliance required to protect it,
- Acquire tools that ensure IT controls extend from on-premises out to hybrid, multi-cloud storage architecture,
- Compliance monitoring/reporting of data governance policies will become a paramount IT system,
- Ensure cost optimization concerning the trade-off between data security and storage efficiency,
- All of the above, with IT operational simplicity.
Given the new data security realities, the IT department’s mandate to improve services and reduce costs will not change. Consider the introduction of the General Data Protection Regulation (GDPR) in the EU and their structure of corporate fines for personal data loss.
“In May 2018, a two-tiered sanctions regime will apply. Breaches of some provisions by businesses, which legislators have deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover, whichever is greater.”
The regulation applies to organizations that collect data from EU or process data on behalf of data collector on persons based in the EU. The Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents.
Given that fines are in the millions of dollars, the CIO’s of any organization with EU customers have a clear incentive to improve the data security and data compliance and second line of defense – let alone the loss of confidence impact from their own customers.
