<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NIST Cybersecurity Framework

The Aftermath of Equifax and The Importance of Due Care

down-arrow

In May, Equifax, through its own negligence, suffered a major data breach that affected 140 million people with credit data and histories in their network. A few months ago, Rick Smith, CEO, was asked to resign from the company and take his $90M severance with him.  

For many of us that make more pedestrian salaries, it feels a bit like justice. The ‘little guy’ winning over the ‘big guy.’ At the very least, in this particular instance, accountability went all the way to the top. Yet, that’s cold comfort because our sensitive personal data is still at risk of being stolen, not to mention all the other burdens placed on us with this breach. If only Equifax had exercised comprehensive data security for their customers, stockholders, and employees by patching their servers in a timely manner then Equifax's data breach would not have occurred. Alas, hackers gained access and stole data from millions of people.

What could Equifax have done differently that may have thwarted the breach? Security experts say they could have applied patches for known vulnerabilities in a standard patch update process. But what about the Big Picture? Was the InfoSec team following a standard of due care that would have encompassed a consistent and repeatable patching process to ensure data protection? Had the executive team received a recommendation from InfoSec/IT that such a standard was necessary to be able to minimize risk and make their systems more resilient? Had anyone in-house made the case that adhering to a standard cybersecurity framework for minimizing risk would make the Equifax network more resilient?

Now, we can consider the aftermath of such a counterfactual analysis. Say Equifax had exercised due care and applied a patch management process that aligned with the National Institute of Standards and Technology’s Cybersecurity Framework. Would Rick Smith have been able to hold his head high and say, “Yes, we were breached, but we adhere to the NIST Cybersecurity Framework as our cybersecurity and compliance standard, so we did everything government and industry have defined as the gold standard of due care, and despite this, we were breached.”

Or maybe, by adhering to the Framework, Equifax would not have suffered the breach in the first place. In this parallel universe, Rick Smith would not have been asked to take his $90M and leave. He may have been congratulated for his winning best practices, or at the very least for a valiant effort. More to the point though, consumers wouldn’t be exposed to the risk of thieves stealing our identities and committing fraud in our names.

Unfortunately, breaches are here to stay. What isn’t clear though is whether organizations are doing everything they can to protect themselves by applying the best policies, procedures, and technologies. Are they truly providing the Due Care their customers, stockholders, and employees deserve?

Learn How CyberStrong Streamlines the NIST Cybersecurity Framework Adoption

Due care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account. It refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances.[USLegal, Inc.]

Effective risk management gives comfort to shareholders, customers, employees, and society at large that a business is being effectively managed and helps the company or organization confirm its compliance with corporate governance requirements. Risk management is relevant to all organizations large or small. [ICAEW]

You may also like

Conducting Your First Risk ...
on January 30, 2023

As digital adoption across industries increases, companies are facing increasing cybersecurity risks. Regardless of their size, cyber-attacks are a persistent threat that must be ...

Your Guide to Cloud Security ...
on January 26, 2023

Cloud computing refers to the delivery of multiple services via the internet (also known as the “cloud”), including software, databases, servers, storage, intelligence, and ...

Compliance and Regulations for ...
on January 9, 2023

Compliance for many cybersecurity programs has been the cornerstone and the catalyst for why many programs exist in the first place. Since the rise of the information technology ...

Cyber Risk Quantification: Metrics ...
on January 6, 2023

Risk management is the new foundation for an information security program. Risk management, coupled with necessary compliance activities to support ongoing business operations, ...

Padraic O'Reilly
Cybersecurity Maturity Models You ...
on January 27, 2023

Cybercrime has forced businesses worldwide into paying billions of dollars yearly. As more of the population becomes dependent on technology, the fear of cyber attacks continues ...

Top 10 Risks in Cyber Security
on December 23, 2022

Increasing cyber security threats continue creating problems for companies and organizations, obliging them to defend their systems against cyber threats. According to research ...