Secure Cloud Services for the Finance Industry — Lessons From the Equifax Debacle

The Problem

For anyone concerned about cyber security in the financial services industry, the now-infamous Equifax data breach is an important study. This event is not only useful in terms of understanding just how perilous the cyber security landscape is, but it is also a cautionary tale in that all of the data that was extracted from Equifax can now be put to improper use by those who stole it. Understanding how to prevent an Equifax-style breach is critical to any financial services company interested in protecting its data—and that’s all of them. Understanding how to defeat the illegitimate use of stolen data is critical to protect the public at large; it is also invaluable in helping to insulate a financial services organization from the lawsuits that will undoubtedly arise if stolen information is used and corporate malfeasance alleged. The first thing to understand—and a fact that is quite remarkable in its own right—is that the breach did not happen spontaneously—or even quickly. On March 6, an Equifax vendor, in response to a heads up from a Chinese cybersecurity researcher, published information about a flaw in its software, along with a patch to correct it. The note from the researcher, which exposed how the flaw could be exploited to steal data, also made its way online to the Internet at large. Most ordinary people who had their personal data stored at Equifax probably had no idea that the software that Equifax was using had a bug and that their sensitive information was at risk. Customers who place their trust in a financial services company typically assume that they’re protected and in good hands, which unfortunately is not always the case. When the exposed security flaws began showing up on hacker websites, the global hacking community went to work, scanning for companies using the flawed software. On March 10, they got a hit—at Equifax. That was just the beginning. The initial team of hackers probably had no idea as to the massive scope, scale, and potential value of their efforts. They were soon joined by more accomplices with more experience along with sophisticated expertise. The collective effort continued unabated and undiscovered until July 29, almost 5 full months after entry into the Equifax system was first made. By the time it was discovered, the illicit data mining operation was so entrenched into the inner workings of Equifax that it took an additional 11 days for the Equifax security teams to seal off the system and then extract and repel the attackers. When it was all over, the hackers had accessed several dozen data storage resources, having penetrated the Equifax system through almost 40 different entry points. The aftermath is frightening. The sensitive personal information—social security numbers, birthdays, addresses, passwords, as well as other elements of their online profiles—of more than 143 million Americans had been exposed to the hackers.

The Lessons

One of the biggest lessons to be learned from the Equifax debacle is that hackers are skilled, persistent, creative, and highly motivated. Experts are still unsure as to the origins of the hackers, but one thread of expert analysis suspects that state-sponsored actors might be involved. China often emerges as a possible origin of organized and sanctioned cyber crime, as does North Korea. Regardless, the takeaway is that there is an endless supply of hackers out there, they know what they’re doing, and they are motivated to do it. These hackers didn’t wind up penetrating a small, unprepared financial services company with limited resources and a lack of experience. Equifax was seemingly well positioned to fend off even the most aggressive hacking attack. Controlled from a central cyber security operations unit, the company had spent tens of millions of dollars on cyber security that included state-of-the-art anti-intrusion software supported by a wide range of additional security protocols. In the aftermath, one weakness that came to light was the fact that an exodus of some of Equifax’s top cyber security staff may have resulted in the shoddy implementation of the security systems and an attendant lack of expertise in their operation. The question then becomes, if this happened to a financial services giant like Equifax, is it reasonable to assume it could happen to anybody? And the answer, unfortunately, is yes. The keys to preventing a breach like the Equifax fiasco are state-of-the-art technologies combined with expertise and vigilance. A financial services company needs significant cyber security competencies in order to have any hope of protecting sensitive customer information. And this expertise must be dynamic; cyber security threats change and evolve daily, and any effective cyber security program must be able to not only keep pace with the threats, but to stay ahead of them. It’s not easy to accomplish, particularly with limited internal resources, but it is essential. One of the best ways to implement a comprehensive cyber security program is to outsource the function to a qualified managed services provider. Although even this approach is not foolproof, there are some significant advantages to an outsourced solution. 1.) Best Practice Security Protocols — Many MSPs are equipped to offer state-of-the-art cyber security services specifically tailored to the financial services industry. Organizations that make a commitment to cyber security dedicate resources to monitoring the evolutions of discovered threats—such as the software flaw that resulted in the Equifax breach—and to patching them before it becomes a problem. By maintaining constant awareness of new threats and new countermeasures, with the right MSP in place, virtually any organization can deploy best practice cyber security measures. 2.) Centralization — With all cyber security measures deployed through a data center operated by an MSP, organizations of any size gain enhanced control over the security of the IT function and enjoy better communications with all of the included IT elements. 3.) Audit Tracking — By tracking granular account activity in real time, repeated failed attempts to access unauthorized data trigger an alert. The complexities of audit tracking increase exponentially in proportion to the size of the organization, which can become cost prohibitive for companies that are growing rapidly on a limited budget IT budget. An MSP that provides an easily scalable audit tracking solution solves this problem. 4.) Disaster Recovery — In financial services companies, where the real time capture and processing of data is mission critical, a business cannot afford to lose access to data for even a small period of time. A robust disaster recovery system provides multiple redundant systems that mirror the primary operational framework. In the event of an outage in the main system, processing is seamlessly shifted to another server at a remote data center. Once again, due to the significant infrastructure costs of building out a fully functional data recovery platform, disaster recovery services are much more cost effective when provided by an outside MSP. 5.) Scalability — Many organizations start out attempting to manage cyber security threats in house only to find that the growth of the organization outpaces the ability of the internal IT resources to scale accordingly. The costs of IT security infrastructure, software and human capital are significant—and expensive. By using an outside MSP to provide security services, the organization only pays for what it needs when it needs it, with the ability to cost-effectively scale the function as the business grows. According to PWC, the incidence of cyber attacks has risen by 130 percent over the course of 2017. The probability that it will happen to any given financial services company is already great and is increasing rapidly. It is imperative that every financial services company recognizes the steps and takes the appropriate action to protect both their customers and shareholders from the threat of a cyber attack.