The iconic American humorist Will Rogers once said, “If you find yourself in a hole, stop digging.” It is a timeless expression that is as applicable today as it would have been decades ago when Rogers first uttered those words. In the age of social media and endless news cycles, politicians, other public figures, and well-known companies can find themselves in a hole without warning. Too often, their instincts are to just keep digging.
The latest company that’s failing to heed Will Rogers’ sage advice is Equifax. At a time when announcements about a new cyberattack have become almost routine, Equifax’s disclosure of a breach that compromised information relating to about 143 million of its customers was shocking. In a single, massive hack, names, Social Security numbers, and other personal data were exposed for more than 40 percent of the U.S. population.
The response to the breach by the Atlanta-based credit-reporting agency has been less than stellar. The company took the expected steps of setting up a website, offering free credit monitoring and identity-theft protection for affected customers, and offering apologies with a promise to do better.
However, Equifax has struggled to manage the fallout, with seemingly new revelations compounding its woes on a daily basis.
It’s hard to imagine a more damaging week for Equifax’s reputation. While nothing could undo the damage resulting from the massive breach, the company’s response has seemingly been to break out the shovels. As Information Age has observed, “When a breach is discovered, it is essential to act comprehensively and quickly, or it may expose the business to greater liability.” The publication offers 6 Critical Steps to Deal with a Cyberattack:
It is important to understand that these steps are interrelated, and doing one or more poorly can affect the others.
There are many unanswered questions about the multiple Equifax hacks, the company’s response to them, the company’s commitment to protecting personally identifiable information (PII), and the suspect sale of stock by its executives.
One thing that is clear is that Equifax has failed to manage the fallout well. The message that the company is accountable and diligently working to address the problems is falling on deaf ears. It is being drowned out by suspicion that company leaders profited from the data breach and questions about the company’s commitment to protect its customers.
As internal auditors, we have obligations that extend far beyond assurance that our companies’ cyber controls are effective. No one can provide absolute assurance that a cyberattack will not hit their organization. So, we must also assess the organization’s readiness to address a cyber breach when it inevitably occurs. Otherwise, company executives may be prone to just keep digging.
We should help our organizations to learn from the mistakes that plague so many others when it comes to responding to cyber breaches or any other 21st century crisis. For as Will Rogers also noted, “Good judgment comes from experience, and a lot of that comes from bad judgment.”
As always, I look forward to your comments.