<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NIST Cybersecurity Framework

The Aftermath of Equifax and The Importance of Due Care

down-arrow

Through their negligence, Equifax suffered a major data breach that affected 140 million people with credit data and histories in their network. CEO Rick Smith was asked to resign from the company and take his $90M severance with him.  

It feels a bit like justice for many of us who make more pedestrian salaries. The ‘little guy’ wins over the ‘big guy.’ At the very least, in this particular instance, accountability went to the top. Yet, that’s cold comfort because our sensitive personal data is still at risk of being stolen, not to mention all the other burdens placed on us with this breach. If only Equifax had exercised comprehensive data security for their customers, stockholders, and employees by patching their servers promptly, then Equifax's data breach would not have occurred. Alas, hackers gained access and stole data from millions of people.

What could Equifax have done differently? Security experts say they could have applied patches for known vulnerabilities in a standard patch update process. But what about the Big Picture? Was the InfoSec team following a standard of due care that would have encompassed a consistent and repeatable patching process to ensure data protection? Had the executive team received a recommendation from InfoSec/IT that such a standard was necessary to minimize risk and make their systems more resilient? Had anyone in-house made the case that adhering to a standard cybersecurity framework for reducing risk would make the Equifax network more resilient?

Now, we can consider the aftermath of such a counterfactual analysis. Say Equifax exercised due care and applied a patch management process that aligned with the National Institute of Standards and Technology’s Cybersecurity Framework. Maybe Rick Smith would have been able to say, “Yes, we were breached, but we adhere to the NIST Cybersecurity Framework as our cybersecurity and compliance standard. We did everything the government and the industry have defined as the gold standard of due care, and despite this, we were breached.”

By adhering to the NIST CSF, Equifax's cyber attack may never have occurred. More to the point, though, we little guys wouldn’t be exposed to the risk of thieves stealing our identities and committing fraud in our names.

Unfortunately, breaches are here to stay. What isn’t clear is whether organizations are doing everything they can to protect themselves by applying the best policies, procedures, and technologies. Do they genuinely provide the Due Care their customers, stockholders, and employees deserve?

Learn How CyberStrong Streamlines the NIST Cybersecurity Framework Adoption

Due care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account. It refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances. [USLegal, Inc.]

Effective risk management gives comfort to shareholders, customers, employees, and society at large that a business is being effectively managed and helps the company or organization confirm its compliance with corporate governance requirements. Risk management is relevant to all organizations, large or small. [ICAEW]

See how proactive cyber risk management can help your organization avoid large-scale data breaches like this and minimize and mitigate risk in real-time with CyberStrong, schedule a conversation here.

You may also like

Benchmarking Your Cyber Risk ...
on September 25, 2023

Benchmarking your organization against the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a valuable step towards improving cybersecurity ...

Security Posture Management: The ...
on September 27, 2023

Cybersecurity is a complex and dynamic field, and there are several elements that security teams must continuously monitor and manage to protect an organization's security ...

Stay One Step Ahead: A Guide to ...
on September 1, 2023

Cyber risk monitoring aims to proactively manage and mitigate cyber risk to protect an organization’s valuable assets and sensitive data. This process involves regularly ...

How to Create a Cybersecurity Risk ...
on August 22, 2023

For years, the discourse in IT has been centered around cybersecurity. Yet, with the volume of cyber attacks increasing, professionals have developed a more holistic approach to ...

How to Mitigate Cyber Risks in ...
on August 18, 2023

Supply chains are complex networks of organizations, people, processes, information, and resources, all collaborating to deliver goods and services to end consumers. Due to their ...

Conducting a Cyber Risk ...
on August 11, 2023

Cyber risk has become increasingly pervasive in almost every industry. From the new SEC cyber regulations to industry standards like the NIST CSF and HIPAA, regulatory bodies are ...