Lessons HR should learn from the Equifax data breach

Security expert David Mold assesses where the firm went wrong, and how HR can drive organisations’ cybersecurity efforts

Although the Equifax incident is not the biggest of all time – that crown goes to Yahoo – it has already become a landmark case study for how not to respond to a data breach.

It failed to inform more than 146 million unknowing victims, 694,000 of which were from the UK, until nearly two months after the breach occurred, with directors selling their shares before the announcement was made. It launched a website to assist those affected that was not only flagged by phishing filters but provided conflicting results to victims and attempted to waive their right to pursue legal action. And a miscommunication error caused website traffic to be redirected to a fake hub with a slightly different domain address for advice by mistake. Collectively, Equifax conspired to destroy consumer trust, causing irreparable reputational damage to the brand.

Evidence suggests basic security measures had been lax at Equifax for some time. Just months earlier hackers stole W-2 tax data from its payroll and HR subsidiary, TALX, indicating lessons hadn’t been learned and security failings were allowed to slowly escalate to crisis point.

Since the Equifax breach, there have been two more large-scale attacks: at the Securities and Exchange Commission, the top US markets regulator, and at Deloitte. These are a clear indication that an endemic problem exists that will continue to repeat itself unless we change our approach to privacy and security.

So what can organisations do to protect their data assets? It’s easy to assume that responsibility for protecting a company from a data breach lies firmly at the doors of the IT department. Robust security measures are, of course, critical to protecting data – but this needs to be supported by a top-down culture and policies built on values of transparency, privacy and security. This is where HR can come to the fore.

As custodians of sensitive ‘people data’, HR professionals have a huge role to play in the fight against cyber-crime. When employees start a new job they happily provide personal information under the assumption that it will be stored safely. It is up to HR to make sure it stays that way by ensuring leaders and employees recognise the importance of company compliance policies and follow them stringently.

Employees are the first line of defence when it comes to security – but are also a weak link too. There is no substitute for continually investing in education, ensuring HR teams are highly qualified to handle aggregated data safely, with empathy for the subject, are trained to be risk aware and understand what to do in the event of a breach.

Schooling staff on the latest breaches and keeping them up to date on security protocols, changes to the Data Protection Bill, the General Data Protection Regulation (GDPR) and phishing scams can help instill good habits and enforce good practice.

Ensuring workers only have access to the data they need to do their job can also help to safeguard sensitive information.

Managers should also take time out to assess their IT infrastructure (particularly external systems providers) to gain assurances that they abide by industry standards and question what measures they have in place to protect their perimeters and ensure all patching is up to date.

Vendors that have achieved ISO 27001 are independently verified as complying with the highest data security standards attainment and will show that an effective framework is in place for information security, including effective controls as part of the ISAE 3402 standard and Cyber Essentials certification, which illustrate that the vendor has taken the necessary precautions to be cyber-safe.

Data sovereignty should also be a key consideration. Carrying out a data audit and questioning vendors about where data actually resides will help assess whether data storage complies with current and future protection laws.

It is important to note that when the GDPR becomes enshrined in the data protection bill from May 2018, UK data protection law will also feature additional criminal offences for the unlawful obtainment of data, deliberately denying access to data and re-identifying data. This means engaging with vendors with data centres based solely in the UK will ensure it falls under stricter jurisdiction than if stored elsewhere.

The Equifax breach is a sharp reminder that there is no place for ignorance, and now is the time to examine your data protection and privacy practices.

David Mold is chief security officer at human capital solutions provider MHR