The Role of HR in the Aftermath of the Equifax Data Breach
Now that the dust has settled following the catastrophic cyber-attack on Equifax, David Mold, chief security officer at human capital solutions provider MHR, discusses the valuable lessons that can be learned from the data bureau’s breach, and how HR can step forward and be the driving force behind an organisation’s security efforts as we head towards GDPR
If you thought the cyber-attack at Equifax was just another data breach story, think again.
Although the Equifax case is not the biggest of all time – that unfortunate crown goes to Yahoo - it has already become a landmark case study for how not to respond to a data breach while teaching some very important lessons.
The scale of the breach was enormous, as 145.5 million people in the US – nearly half the population – along with 694,000 Britons were obliviously exposed to hackers. However, it was the ease at which the violation took place that raises serious questions about how a company of the size and stature of Equifax, which you would expect to be ultra-vigilant in safeguarding sensitive data, could allow this to happen.
The vulnerability which attackers exploited to access Equifax's system was caused by a fault in the coding in Apache Struts – open software commonly used to create Java applications – which had been discovered and rectified by a fix patch shared by the vendor back in March this year, but simply hadn’t been installed by Equifax, leaving the door wide open for an attack.
By the time it had been identified the damage had already been done. Hackers were able to access significant personal credentials, including social security numbers, dates of birth, email address and driver's license numbers – all the data they needed to abuse individuals’ credit history and cause long-lasting credit problems.
Equifax in crisis: a destruction of consumer trust
Any breach is, of course, alarming, but it was Equifax’s inadequate response and long list of failings which deepened the crisis and provides a real insight into its attitudes towards security.
Not only did it inexcusably fail to inform the unknowing public until nearly two months after the breach, it was followed by directors at the company promptly selling their shares prior to the announcement being made; the launch of a less than credible website which was not only flagged by phishing filters but provided conflicting results to victims and attempted to waive their right to pursue legal action and a miscommunication error which saw traffic directed to a fake hub with a slightly different domain address for advice by mistake. Collectively, they conspired to destroy consumer trust, causing irreparable reputational damage to the brand in the process.
In a video statement, the then chief executive Rick Smith tried to calm the storm by stressing Equifax’s commitment to managing and protecting data.
“How hackers were able to access the data in the first place is hard to comprehend and highlights simple failings in the IT infrastructure.”
Evidence, however, suggests basic security measures had been lax for some time. Indeed, hackers managed to steal W-2 tax data from its payroll and HR subsidiary, TALX, in a separate breach just months earlier, indicating that lessons clearly hadn’t been learned and Equifax allowed its security failings to slowly escalate until it reached crisis point.
How hackers were able to access the data in the first place is hard to comprehend and highlights simple failings in the IT infrastructure. An Intrusion Detection System would have easily detected spikes in unusual access patterns and that Apache Struts had been compromised, allowing the attack to be immediately killed.
This combined with a failure to compartmentalise data properly allowed a treasure trove of personal data to be accessed from a single breakable point of entry, a both inexcusable and fundamental error which exposes failings deeply entrenched in the company’s culture, practice and security.
Attacks in the wake of the Equifax breach
Since the Equifax breach, there have been two more large-scale attacks. Firstly the Securities and Exchange Commission, the top US markets regulator, disclosed that hackers breached into its Electronic Data Gathering, Analysis and Retrieval (EDGAR) system.
Then just days later, Deloitte revealed it too was the victim of a cyberattack, with hackers accessing usernames, passwords and personal details of some of its clients.
“An endemic problem exists that will continue to repeat itself unless we change our approach to privacy and security.”
To put it into context, that’s one of the world’s largest credit bureaus, the US regulator and the security consultancy ranked number one by Gartner all hacked in the space of a month.
Hard to comprehend, isn’t it? But a clear indication that an endemic problem exists that will continue to repeat itself unless we change our approach to privacy and security.
HR’s role in protecting companies' data assets
So what can organisations do to protect their data assets?
It’s easy to assume that responsibility for protecting an organisation from a data breach lies firmly at the doors of the IT department.
Robust security measures are, of course, critical to protecting data, but this needs to be supported by a top down culture and policies built on values of transparency, privacy and security. This is where HR can come to the fore.
As custodians of vulnerable and sensitive ‘people data’, HR professionals have a huge role to play in protecting data assets.
“As custodians of vulnerable and sensitive ‘people data’, HR professionals have a huge role to play in protecting data assets.”
When employees start a new job they happily provide their employers with sensitive personal information under the assumption that it will remain confidential and stored safely. It is HR’s job to make sure it stays that way by ensuring leaders and employees recognise the importance of company compliance policies and follow them stringently.
While Equifax was a rare case in that it left itself exposed to potential theft, human error and poor password management typically cause most breaches. Staff represent the first line of defence when it comes to security, but are also liable to being a weak link too.
Full lifecycle training and its role in stopping attacks
There is no substitute for continually investing in education, ensuring HR teams are highly qualified to handle aggregated data safely, with empathy for the subject, trained to be risk aware and understand what to do in the event of a breach.
A clear data security policy plainly communicated and followed to the letter in practice, is key to establishing a culture where security is embedded at every level. Cybersecurity does not stand still, so schooling staff on the latest breaches and keeping them up-to-date on the latest security protocols, changes to the Data Protection Bill, including GDPR, and phishing scams can help instil good habits and enforce best practice.
“Training employees during the on-boarding process or on an annual basis isn’t enough.”
Training employees during the on-boarding process or on an annual basis isn’t enough; it should be carried out throughout the lifecycle of their employment with an emphasis on mimicking real-life breaches, so employees know how to identify signs of malicious intent and take the appropriate action.
Special procedures should also be put in place to minimise risk when employees leave the organisation, especially those leaving under a cloud.
Access management, patching and regular testing: cornerstones of good cybersecurity
Assigning access rights to data, ensuring workers only have access to the data they need to do their job can also help to safeguard sensitive information.
To help ascertain the risk to the business, managers should also take time out to vigorously assess their IT infrastructure, in particular external systems providers to gain assurances that they abide by the most rigorous industry standards and question what measures they have in place to protect their perimeters and ensure all patching is up-to-date.
Providers who have ISO 27001 have been independently verified as complying with the highest data security standards attainment and will show that the vendor has an effective framework in place for Information Security, including effective controls as part of the ISAE3402 standard and Cyber Essentials certification which illustrates that the vendor has taken the necessary precautions to be fundamentally cyber safe built on integrity, confidentiality and privacy.
Regular testing of the perimeter endpoints to deter potential vulnerabilities is also a great indication of the hygiene of the vendor’s system and demonstrates their general attitude towards cyber security, while segregation of data provides peace of mind that any loss will be limited if the worst happen.
“It’s very easy for employers to re-evaluate processes and procedures after an event has taken place. But it’s too late.”
Data sovereignty, the concept that data needs to comply with the laws of the country it is located, should also be a key consideration as we head towards post-Brexit Britain. Carrying out a data audit and questioning vendors about where data actually resides will help you assess whether data storage complies with current and future protection laws.
It is important to note that when General Data Protection Regulation becomes enshrined in the Data Protection Bill from May next year, UK data protection law will also feature additional criminal offences for the unlawful obtainment of data, deliberately denying access to data and re-identifying data. In essence, this means engaging with vendors with data centres based solely in the UK will ensure it falls under stricter jurisdiction than if stored elsewhere.
It’s very easy for employers to re-evaluate processes and procedures after an event has taken place. But it’s too late. As always, prevention is better than the cure. Hackers are continually innovating, employers must do the same.
The Equifax breach serves as a shot in the arm that there is no place for ignorance and now is the time to examine your data protection and privacy practices.
Chief Security Officer, MHR
01159 456 000
MHR is a specialist provider of HCM solutions, helping organisations of all shapes and sizes to strengthen their core – their people. MHR combines the stability, expertise and proven methodologies of a long established provider, with the innovative forward thinking vision of an agile growing business, to provide a winning partnership to its customers and employees.
Across the fields of talent management, HR, payroll and business analytics, 900 companies from SMEs to large multi-national corporates, rely on us to help them drive performance. Customers include; Admiral, Cafcass, Sytner, Signet Group, Nandos, Laing O’Rourke, Wessex Water, University of Reading, Caterpillar UK, East Riding of Yorkshire Council, Salvation Army, The British Transport Police and more.