One year ago Friday, Equifax announced its crippling data breach. Since then, regulators declined to levy fines and heavily publicized pending class action lawsuits against the company have gone silent.
Immediately following the breach, the company underwent a leadership shakeup with the former CEO, CIO and CSO retiring. Legislators grilled former CEO Richard Smith on the Hill, but criticism waned as time passed. Equifax has a new CEO and CTO and brought in a powerhouse CISO to retool security.
But after a slew of changes, it is business as usual for Equifax and industry has moved on from critiquing the consumer credit reporting agency.
"The world has not come to an end and very little else has changed," said John Parkinson, affiliate partner at Waterstone Management Group, in an interview with CIO Dive. Government has struggled to get itself sorted in terms of cybersecurity regulation, and even if it could, "you can't regulate or legislate the issue away."
Years of ambivalence
Looking back at the last few years of escalating cyberattacks and it's easy to pinpoint incidents that sparked change. Following the ransomware attack against Hollywood Presbyterian Medical Center in Los Angeles in February 2016, awareness increased over how to respond to such heists.
Then in 2017, with the rapid succession of WannaCry and NotPetya, businesses were put on notice about the increase of global malware campaigns.
Breaches, however, persist, driven by human error, lack of accountability and organizational neglect.
"Businesses are businesses. They're capitalistic. They're there to make money," said Kurtis Minder, CEO of GroupSense, a cyber reconnaissance firm, in an interview with CIO Dive.
Security is still considered an overhead, he said. Consequences, compliance and some way to market a product or technology innovation are the main drivers of change. "I don't think any of those things occurred in the case of Equifax."
Really, the effects were minor in the business scheme of things. "Nobody went to jail," Minder said. "They're still operating."
The laissez faire approach to cybersecurity
Investigations into Equifax's breach reveal the incident was preventable. Rather than malicious attacks from a nation state or a global malware campaign, Equifax's breach was caused by a lack of security attentiveness and failure to patch a known vulnerability.
Other technology problems persist across the financial services security. With decades of legacy technology, companies have layered on new systems, constructing digital walls around things that hold value, according to Parkinson.
Failure to modernize is a challenge across industries, spurring a rush to digitally transform for a new era of advanced technology. Compounding the problem is demand from customers and users.
In a rush to keep up with competitors, some companies are shorting security measures. More than half of companies have cut security efforts in order to meet deadlines or business demands, according to a recent survey from Threat Stack.
"The public is fixated on the ease of the internet," Parkinson said. Cybersecurity awareness has gone up year-over-year but perception of risk has declined.
As breaches have become more public, enterprises shy away from becoming front-page news and have invested in breach response plans, embracing the "not if, but when" acceptance of the inevitability of breaches.
Companies are bringing in incident response experts, which includes breach disclosure and letting authorities know about incidents, according to Minder.
Part of the responses, however, place the onus for remediation on consumers and many are too jaded to care.
Whenever there's a breach like Equifax, the knee-jerk response for enterprises is providing consumers with credit report monitoring, said Avivah Litan, VP and distinguished analyst at Gartner, in an interview with CIO Dive. It's "too little, too late" and puts too much burden on the consumer.
Instead, it's a more meaningful measure if companies put in identity fraud checks at the lenders, she said. Credit bureaus do have these services, but that's not being offered for free.
Companies are neglecting the severity of identity theft, treating breaches as lost revenue opportunities instead. Apologies persist, but the reactive approach to cybersecurity does not prioritize prevention, said Litan.
Industry has yet to see what will come of the stolen information, raising questions of who stole it and what their intent is.
With so many profiles ripe for identity theft, many are concerned over what could come of the breached information and the potential impacts on the credit economy.
"If you could destroy the trust in credit, you really can do some damage," said Parkinson.