When it comes to incident response, it isn't all about forensics and technology.
Solution providers said the Equifax mega breach this week highlighted that fact, saying public criticisms of the company's failure to have adequate public relations and breach notification procedures in place show the need for the "nontechnical' in an incident response plan.
Jeremy Samide, CEO of North Olmsted, Ohio-based Stealthcare, which offers incident response services as part of its security solution provider practice, said thorough incident response needs to include steps beyond forensics, including legal, regulatory and compliance, executive notifications, breach notification to customers, and more.
"You need both pieces," Samide said, referring to both the technical and nontechnical pieces, such as legal. "It's really that layered approach. … These are real risks."
Stealthcare regularly works with inside and outside legal counsel when it does incident response engagements with clients, acccording to Samide. Companies in various industries have different requirements for legal and regulatory involvement, depending on their size and vertical.
The Equifax breach, disclosed Thursday, impacts 143 million customers of Equifax's credit and information services. The company said the breach included information on names, birth dates, Social Security numbers, addresses, and some driver's license numbers. It also included more than 200,000 credit card numbers and nearly 200,000 other documents with personal identifying information. It said the breach did not appear to impact its core consumer or commercial credit reporting databases.
Equifax has been heavily criticized by the public on Twitter and other avenues for the quality of its response, including criticisms of the company's offer of a year of credit monitoring services to those affected. It has also proved challenging for some customers to find out if they have actually been impacted, with reports that the call centers set up to field customer questions don't have enough information to tell users if their personal information was hacked. The company did launch a site for users to check to see if their information was included in the breach, but checking the information reportedly waives a user's right to be part of a class-action lawsuit.
Alton Kizziah, vice president of global managed services at Kudelski Security, said Equifax's response to the breach is "quite fast compared to what we see usually," but that the quality of the response was lacking. Kizziah highlighted the company's offering of credit monitoring services to affected customers as a "sad joke."
"I’m sure I have multiple free credit monitoring offers at this point," Kizziah said, adding that he appears to have been impacted by this particular breach. "Vendors should think about how to get better at response and the softer side of the actions they take afterwards. Free credit monitoring just isn’t valuable anymore and, in this case, it’s quite ironic."
Stealthcare's Samide said it typically takes the solution provider's customers about a week to a week and a half to get the board of directors up to speed, get legal engaged, and start the forensics process with an incident response team and investigators. That time frame includes legal, drafting disclosures, and prepping for customer notifications, he said. Equifax said it discovered the breach on July 29 and notified the public this week.
Equifax said it has engaged a "leading, independent cybersecurity firm" – though it didn't name the company – and is already working with law enforcement.
It is especially important for companies like Equifax, which handles sensitive customer personal information, to have a strong security posture, said Samide, adding it is "their business to protect personally identifiable information." That includes a "layered approach" to security, including technology, threat intelligence, education of management and employees, and integration across the network, he said.
"The lessons have not yet been learned… to protect the data that is the crown jewels of the organization," Samide said. "This is something we educate all of our customers on: You have to protect the data that makes your company run. You have to protect that value and create a layered security approach."
The Equifax breach is just the latest example of a high-profile company getting hit, said Kudelski Security's Kizziah, citing other recent examples of AWS data exposures. He said enterprises need to "be creative" in expanding the ways they protect their systems in the modern technology era, especially where critical customer data is concerned.
“The news of this breach is especially disappointing but not surprising as we continue to see these types of events accelerating despite increased spending in security overall," he said.