How NOT to respond to a network security incident

December 27, 20174 Minute Read

Select article text below to share directly to Twitter!


It’s hard to believe Equifax announced the security breach that affected more than 140 million Americans only a few months ago. We’ve had a lot of questions and not many answers since, despite multiple hearings on Capitol Hill and hundreds of stories across mainstream and niche media outlets.

We won’t know the whole truth about the data breach for some time still, but the lessons we can learn now are arguably more important, particularly about how to handle a network security incident—and how not to (here’s lookin’ at you, Equifax).

Step 1: Own up to network security breaches

Most companies are prepared for some level of crisis communication, but data breaches aren’t your ordinary crises. According to then-CEO Richard Smith’s congressional testimony, Equifax was hacked through a known vulnerability that wasn’t patched or identified by scanners as it should have been. Smith blamed the failure on a single employee, and that hasn’t gone over too well.

“The misstep we see in post-incident, post-breach communication is treating them like any other crisis,” said Claire Tills, a communication researcher. “There’s a standard approach to crisis communication and you can see its fingerprints all over these responses. But there are some key differences between information security crises and more traditional ones.”

The big one, she said, is responsibility. “Organizations that experience breaches see themselves as victims while the people whose data was lost or stolen hold them responsible.”

Senator Elizabeth Warren certainly does. She grilled Smith, “When companies like Equifax mess up, senior executives, like you, should be held personally accountable.”

More effective responses, said Tills, take the public narrative into account. “The organizations we’ve seen really taken to task deny, ignore, or contradict any critiques of their response. They’re seen as hiding the truth and out of touch.”

Smith claimed he didn’t know whether any personally identifiable information (PII) had been accessed when he was first informed of the breach on July 31—but revealed during testimony that he didn’t know because he didn’t ask. That seems a little suspicious for the head of a company whose sole purpose is to protect the PII of every American with a credit card. The nearly $2 million in company stock sold by three executives days after the breach was a really bad look, too, especially because it wasn’t publicly disclosed for more than a month after it occurred.

Step 2: Learn from Equifax’s points of failure

Data breaches happen, but this one shouldn’t have. The US Department of Homeland Security, Computer Emergency Response Team (US CERT) alerted companies in March, 2017 of the vulnerability that attackers ended up exploiting to gain access to Equifax’s network.

Patching isn’t always simple—especially for large enterprises with legacy IT—but it should never rest on one person alone (especially not in a company, like Equifax, with almost 10,000 worldwide employees). We still don’t exactly know why Equifax’s scans failed to pick up the vulnerability, but the timeline laid out by Smith shows the scans weren’t initiated for more than a week after the alert. Not only that, but it took 48 days for Equifax to detect the intrusion. Automating patching and network security monitoring could have perhaps prevented both of these errors.

Equifax’s internal incident response was also laced with “yikes” moments. There are unexplained gaps in the timeline Smith presented to Congress: He took two days to execute the company’s security incident response procedures; it took more than a week for investigators to determine PII had been accessed, and another four days went by before alerting the FBI. The full board wasn’t informed for another two weeks.

At best, these delays give the appearance that Equifax’s incident response team was ill-prepared. “The communication response was obviously a mess,” said Tills. “IT managers and decision-makers need to know the channels of information and communication in their organization and who is in charge of talking to the public and press before an incident occurs. Once they know that, they need to prepare those people and channels for when an incident breaks.”

Step 3: Monitor everything

Numerous government agencies, including the Federal Trade Commission and the FBI, are investigating the Equifax breach—and the company’s response to it. For now, things look grim. Who executed the attack, and what will they do with the PII they stole? Lawmakers haven’t figured out an alternative to social security numbers, and whatever solution they devise will require significant systemic overhaul.

In the meantime, the best advice from the FTC and others is watch your finances. Check your credit reports (through an encrypted connection!), consider placing a fraud alert on your files, and file your taxes early to avoid having your refund stolen. Direct your users to the Identity Theft website and give them more actionable steps they can take depending on what PII was stolen—and by whom.

  • Recommended for you
  • Recommended for You