Yesterday we all read the explanation (or as I would call it the “excuse”) of former Equifax CEO to the recent breach of Equifax database that exposed personal data of 145 MILLION US and Canadian citizens.
Here is his explanation: one IT employee of Equifax did not install and verify one patch to their IT system (I will leave technical details aside). Pay attention! This omission happened between March 8 and March 10, while the breach and consecutive theft of data happened between May 13 and July 30 – up to 5 months later!!!
Now let me ask the inevitable question – where was Equifax compliance system and verification of performance during those 5 months? Many of my friends and colleagues have noted that in such organizations as Equifax the patch of any vulnerability in their IT system must involve at least two-steps
approach – application of the patch by one specialist and verification and testing of the patch by another. This simple two-steps procedure would prevent current chaos that Equifax is dealing with and that will cost it millions of dollars in damages, and inevitably – reputational damage.
If the first excuse wasn’t insulting enough, Equifax former CEO had further testified that “the individual who's responsible for communicating in the organization to apply the patch, did not”. Let me ask again – where were those responsible for the actions of that individual, and why such organization as Equifax failed to verify performance?
Unfortunately, we will probably never hear the answer to these questions and those responsible for the breach, including the former Equifax CEO, Mr. Richard Smith, will never take the responsibility for this incident.
Many of you might say that it was a “human factor”, “no one is protected from mistakes”. I will agree – the mistake of the IT specialist was a simple human error, but what followed was a systematic failure of Equifax compliance system. Human factor created a minor problem, while Equifax failure to comply caused the 145-million person data leak.
The conclusion that every prudent business must make from this situation is simple – no matter how small or big your organization is, the only proper response to external and internal risks will come from establishing and enforcing a comprehensive corporate and business compliance system. “Human Factor” is an inevitable risk of every organization, but in most situations it can be easily mitigated by simple procedural measures. Every business owner should adopt the following approach: every day spend 15 – 30 minutes to evaluate a small part of your organizational activity, assess the risks that might come out of it, and then establish a procedure that will mitigate the risk. This simple habit will protect your business, will prevent extensive damages to you personally, to your organization, and to possibly 145-million audience. It will also save you from shamelessly using excuses and accusing one employee in the failure of your organization, in your personal failure.
The referenced article on Engadget.com: