In 2018, we
predict the cost of each stolen record may skyrocket to $250 while the total organizational cost of a data breach could be as high as $8 million.Companies may recover from financial and reputational damage if they have the deep pockets needed to fight lawsuits, fines and bad press associated with such breaches but in the rapidly changing world of technology you can’t even blink or you might miss something.
Our estimate made this past September however does not take into account what could happen in an extreme case like Equifax where a company most people don’t even do business leaked the personal financial information of 143 million Americans to the hacker community due to inadequate cybersecurity.
Wired Magazine is now
calling for the corporate death penalty for Equifax as a result of their gross negligence.
Here is an excerpt:
Under the law of Georgia, where Equifax is
incorporated, the state attorney general may file a lawsuit in state court to dissolve a corporation if the corporation "has continued to exceed or abuse the authority conferred upon it by law." (All 50 states have similar provisions.) State attorneys general don't invoke these corporate death penalty statutes often, especially not against large, well-known corporations. But Equifax could not have obtained its unusually important position in our economy without the privileges of a corporate charter conferred by law, and it has forfeited its claim to those privileges.
Equifax's entire reason for existence is to collect and maintain private financial data about individuals who are not customers of the company. This isn't like other data breaches, such as the 2012 credit card data breach at
Barnes & Noble, or the 2015 hack of frequent-flyer account data at British Airways. Those breaches were bad. But they affected people who had chosen to do business with these companies by buying books or airplane trips. Most of the people whose data was compromised by Equifax's lax security don't even know that Equifax exists, let alone that it maintains their private financial data.
While there's never an excuse for major companies to be sloppy with customer data, Barnes & Noble and British Airways aren't in the business of securely storing private financial data. They're in the businesses of selling books and flying airplanes. When a bookstore or airline doesn't manage customer data well, then the company needs to compensate its customers for its negligence, accept its punishment, and reform. But when a company's entire reason for being is managing individuals' most sensitive private financial data, and it fails spectacularly, it should not be further entrusted with that important responsibility.
Dissolving Equifax would not require putting innocent people out of work or demolishing its office buildings. Working with a
court-appointed receiver, the Georgia attorney general could develop a plan to deconstruct Equifax's current corporate structure. It could continue to operate and pay its staff and vendors while dissolution is pending in court, and legitimate business lines could operate successfully afterwards under new ownership.
The public’s anger over data breaches can only grow and hackers have been emboldened like never before.
Each attack is an invitation to the world’s hackers to try harder. Every breach in-turn funds the next breach not only from a competitive standpoint but financially.
Inside hacker circles, the competition is fierce. How fierce? Think about
Gru stealing the moon and you get the idea. VIDEO
So corporations globally are in greater peril than ever before. Moreover, even the multibillion dollar Equifax had just one person in charge of hacking the system which was breached. Guess who was checking on them. Apparently, no one.
Any company can make a mistake and in fact every company will. It is exactly for this reason every organization looking to protect their assets, profits and ability to function needs to ensure there are checks and balances where there never were before. Cyber insurance can only protect you to a certain point. It cannot be relied on to protect against near infinite lawsuits which it seems Equifax now faces.
CEOs and board members must understand the importance of these issues or they could be next. They must act quickly to protect themselves from the next hack which may be targeting their organization.
Here are some of the areas all organizations looking to promote a cybersecurity culture need to focus on:
1. Cybersecurity training must be done regularly.
2. Auditing and documentation must be performed regularly to ensure systems are secure.
3. Anomaly detection should be running constantly to detect threats as they emerge.
4. Penetration testing shows if systems can easily be reached from the outside. Here is a case where this test might have saved two company’s’ reputations from being destroyed.
5. Network forensics for when a breach eventually occurs. The bad guys always seem to get in eventually.
6. An action plan to follow when a breach does occur. Once it happens, few will have the clear heads needed to “wing it” correctly. Equifax botched it’s response in what is being called a PR catastrophe .
To ensure your organization is safe – even if you have internal IT, hire an experienced MSP or MSSP like
Apex Technology Services.
What have we learned from this article? Well, hackers are
despicable but hopefully, after the next attack, you'll be saying, I'm glad it wasn't me.