Thursday, May 3, 2018

Equifax finally admits that they had no security...

In a huge turn of events today, Equifax and myself are trying something new.

Equifax is trying to include security within their ecosystem.

I'm trying a catchy title with half truths like all the newspapers keep using.

Only problem is that my title isn't actually a half truth, it is more of a mostly true.

Equifax seems very proud to announce to share holders and to the world that they have just poured 100's of million of dollars on security.

The catchy phrase that got me going for this end-of-week post is this gem from their last quarter financial reports as reported by SC Media:

$ 242.7 million overall breach cost:  

This included $45.7 million in IT and security costs to transform the company's IT infrastructure and improve application, network, and data security. 

The thing with traded companies is that we KNOW.  We know that you only spend money when you absolutely must.

So this $45.7 million was needed.  As in, was always needed.

To be clear, this means that their "secure" ecosystem was behind by $45.7 million.

Yet, they always claimed that they met all the compliance requirements both legal and of their partners.

So keep that in mind next time you are doing business with a publicly traded company who by the way had a 125 million dollar cyber insurance policy with a 7.5 million deductible.  

In my humble opinion, a 6% deductible sounds like the insurance company was trying to manage their risk and perhaps had doubts about the quality of the Equifax ecosystem.  But that is pure speculation, just like thinking that "the Equifax clients" are their priority.   And ultimately, it is a traded company, so higher deductible means lower monthly premiums, better short term for the share holders, so basically a win win. And since senior executives have done their "duty" and do have insurance, then the fact that the share holders will suffer the financial hit IF (when) a security breach takes form is a very common board room stance.

The "shirt term, bottom line" is always the only true priority for a traded company.   Until the laws evolve to include stiff financial penalties for willful blindness by senior executives (personal liability) and jail time, things will not change.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...