It played out like a cybersecurity horror film.
Between mid-May through July, nearly 143 million Americans had their personal identifiable information (PII) stolen by hackers who breached the consumer credit reporting agency’s cyberdefenses. While the investigation is still underway, preliminary reports blame vulnerabilities in Equifax’s backend software; a popular application called Apache Struts, a well-known and respected product used in more than 60 percent of the world’s Fortune 500 companies.
Whether you have a vested interest in cybersecurity or you’re the average American consumer, Equifax’s epic data breach was more than unsettling; it was downright terrifying on a massive scale. The company trusted to safeguard our sensitive financial data had the security of its data compromised.
And it all came down to human error.
Known Vulnerabilities, No Action
With any software, there can be vulnerabilities. Sadly, the pathway to the Equifax breach was a known vulnerability that could easily have been patched. In fact, Apache had offered a patch back in March for that particular vulnerability – months before the Equifax breach occurred. With that information in hand, we can only assume that the agency’s IT professionals were negligent in their duty to protect the sensitive financial data that they were empowered to safeguard. The sudden ‘retirement’ of Equifax’s chief security officer (CSO), Susan Mauldin, and chief information officer (CIO), Dave Webb, immediately following the breach spoke volumes about their culpability.
The Usual Suspects
Time and time again, research indicates that more than 90 percent of cyberbreaches occur due to some sort of human interference. Technology can apply any number of guarding systems, such as firewalls, software and monitoring applications, but once humans fail in their responsibility, that’s when disaster is most likely to occur.
To reduce human performance errors, it requires a combined effort that involves training, education and the establishment of a cybersecurity culture to keep any breaches, however big or small, at bay. Training provides individuals with the technical skills to perform a task. Education teaches them how to apply theoretical knowledge in philosophy, ethics and personal responsibility to weigh the consequences when those responsibilities are not met. A cybersecurity culture brings those skills, knowledge, efforts and talents together to effectively manage and maintain an organization’s digital defenses, which radically reduces the potential for human errors.
Dr. Jane LeClair