Chilling Effect: Wall Street Punishes Equifax for the Wrong Reasons
There is no doubt that the public, in general, is suffering from breach fatigue. It is growing increasingly challenging to open up the news section of any primary website and not read about a company or website getting compromised. Lawrence Abrams’ popular breach-verification site has stockpiled almost 8 billion unique stolen account credentials. Just this week alone, Checkers Drive-In restaurants news aggregator service Flipboard, and title insurance company First American Financial Corp all disclosed data breaches and the loss of customer information. What used to grab headlines as a significant violation of public trust is now pushed “below the fold” and can often rank lower in importance than what a celebrity wore to a recent court appearance.
Just because breaches are occurring more frequently and receiving less news coverage does not make it any less dangerous. Identity theft is a severe problem in modern society and its damage can take months or years to repair. The public outrage and congressional hearings in the wake of the Equifax breach, which exposed the records of 148 million people, served little actual purpose as no executives went to jail, Equifax paid just $600,000 in fines in the UK, and they are still allowed to operate without restrictions. This is personally very upsetting for me as the data leaked in the Citrix may have not just included my personal information, but those of my beneficiaries as well, who never worked a day for the Florida-based software maker.
Again, this will likely be business as usual where executives avoid jail time, nominal fines are paid, and affected employees are given yet another free year of credit monitoring service. Until there is a significant change in how governments and shareholders react to these data breaches, expect them to continue at a break-neck pace.
I have previously written about the aftermath of the Equifax data breach. The stolen data was never found, leading many experts to believe that the attack was state-sponsored and not a for-profit operation by a hacking team. A Yahoo! shareholder lawsuit successfully held former directors responsible for the massive 3 billion record breach This legal victory is a sign that tort facilities are moving in the right direction in favor of the public interest over corporations that get breached. Last week, financial rating firm Moody’s downgraded Equifax’s credit rating following the massive 2017 data breach. This would typically be viewed as an overall positive move to punish Equifax for having lax cybersecurity controls that allowed the offense to happen in the first place. Financial rating firms perform analysis on companies to determine their capability of paying back their debt. Similar to how individuals in the United States have a credit score to assess their ability to pay back a credit card or a mortgage, companies also have ratings to determine their creditworthiness.
Upon closer examination, Moody’s cites Equifax’s massive spending on cybersecurity as a primary reason for downgrading their credit rating. The downgrade marks the first time that cybersecurity has been cited as a factor in a rating change. In 2018, Equifax planned to spend $200 million US on cybersecurity-related expenses. By investing so much on cybersecurity, the company will have less money to invest in growing the business, which Moody’s cites as a factor in their downgrade. The downgrade sends a chilling effect through the industry-leading many companies to believe that their credit ratings could also be lowered if they spend too much on cybersecurity. The downgrade leads to situations where organizations will purchase security solutions that are “good enough” to make the minimum investment in security to satisfy the auditors, but not provide the much-needed protection against today’s cyber threats.
Moody’s downgrade highlights a significant problem with how financial markets operate in the United States where too many decisions are based upon the short term outlook and that motivates public companies in every sector. Moody’s is effectively sending conflicting messages by telling companies not to invest heavily in cybersecurity controls, but also not to allow themselves to get breached. The downgrade should have happened as soon as the breach occurred and that would have sent the right message that getting breached has consequences.
The silver lining to this story is that Moody’s may be sending a message to organizations that an ounce of prevention is worth pound of cure. If Equifax invested reasonably into cybersecurity controls before the breach, their expenditures might not have caught the eye of the financial rating firms. The fact that they are now attempting to repair a dam after it burst is the cause for concern and they have to disclose this information in a more public manner.
Cybersecurity defense in depth starts with the user and user awareness training. If users do not click on links they do not know and do not open attachments from unknown sources, that would eliminate a good percentage of attack vectors. User awareness training is typically a cost-effective method for preventing attacks by turning every employee a firewall. Since users cannot be expected to perform correctly every time, a security stack as a service that follows the user no matter where he or she goes is a significant step in securing the organization. Over 80% of the internet’s traffic today is TLS encrypted and attackers are taking advantage of that by concealing malware and exfiltrating data in TLS encrypted channels. A security solution with native SSL inspection is needed to ensure nothing bad comes into the organization and nothing good leaves. Typical security solutions require full backhaul or multiple appliances to scan 100% of the traffic. It is possible to stay within security budgets and provide the comprehensive security needed to protect users against today’s modern threats. It just takes a transformational way of thinking to achieve.