Watching the Equifax debacle unfold has been a bit like watching a badly written coming of age story - just when you think it can’t get any worse, it does. The plot has certainly thickened as it has gone on, and last week, in seven short days we learned
of the Apache Struts patch vulnerability neglect through to the latest development in
Argentina which saw both the region’s administrator username and password set to the not so imaginative or impenetrable word ‘admin.’ It’s certainly dark days for Equifax and the 143 million customers
whose Social Security numbers are currently at the whim of fraudsters.
Banks should be taking note for two reasons. Firstly, with GDPR legislation becoming a reality in May 2018, banks and other keepers of personal data will no longer have the luxury of informing customers of a breach at leisure – certainly not the six weeks
it took Equifax to relay the information. Post GDPR, customers will need to be notified within 72 hours of any compromise of their personal information. Any business that does not comply or fully communicate the extent of the breach risks being fined 4% of
their global revenue, on top of the many hefty fraud and AML fines and penalties already frequently doled out by the FCA.
Secondly, Equifax should be a lesson in awareness for all banks and other organisations who have effectively become data businesses. Since 2008, IT departments have become stretched to the limit trying to meet the requirements of regulation overload while
also experiencing constant pressure to ensure networks are over achieving in order to meet sky-high customer experience expectations.
With increased complexity comes increased vulnerability. Compliance and performance have risen to the top of the operational agenda, but security is still demonstrably lagging behind the increased performance mandate. As banks begin to consolidate data centres
and, in some cases, move to the cloud, the complexity of their enterprise networks will increase.
It’s essential that as these networks become more complex, so does their visibility in order to aid in their management and troubleshooting. You wouldn’t shift to dense 10Gb Ethernet or higher network speeds in order to deal with elevated requests to capture
network data without making sure you had visibility of the increased flow of information, would you?
The message for banks is clear: increased complexity must be equally paired with increased security
and increased transparency as to what is going on within a network day to day, minute to minute.
This includes third parties. Cyber risk underwriters do not necessarily assign a lower score to organisations that use outsourced providers and other third parties to manage infrastructure and take care of, for example, activities like patching. The way
an organisation deals with third parties and the quality of the relationship is often a good way to score attitudes towards security. But it’s essential that the processes surrounding dealing with third parties are defined and understood.
Not If, But When
By now everyone’s got an expression relating to the eventuality that all companies will be hacked at some point. “There are only two types of companies: Those that have been hacked and those that will be hacked,” said Robert S. Mueller, III, Director of
the FBI. Or, perhaps more accurately, former Cisco CEO John T Chambers, who said: “There are two types of companies: those that have been hacked, and those who don't know they have been hacked.”
When the inevitable happens, in order to be GDPR compliant banks will need to know, understand and communicate breaches within days (72 hours in fact). In order for this to happen, they will need to be able to have a complete view of network activity in
real-time, with the ability to pinpoint the cause of issues quickly as soon as they are detected.