I am not one to beat a horse when it’s already dead but, at the same time, I find it hard to resist the temptation of using this
possibly overstated security breach to reinforce the importance of putting your security house in order.
Your business needs you and the reverse is true. Don’t wait to find out the hard way. What follows is not a fictitious example of what can happen in real life. It’s happened!
On September 7, 2017, Equifax announced that it has suffered a cyber security incident that potentially affected 143 million U.S. consumers (approximately 45% of the total population).
It’s been nearly 8 months since this unfortunate incident occurred and the company’s stock continues to remain on the wrong side of Y-axis relative to those of its competitors. As you can see in the image below, this doesn’t look like a trend that would change anytime soon:
According to CSIMarket, an independent digital financial media company and provider of integrated financial information and analytical applications to the global investment community, here are some of EFX’s realities as things stand today:
- Revenue growth of 4.03% in Q1 of 2018 was below that of its competitors average revenue growth of 11.79 %, recorded in the same quarter;
- With net margin of 10.84 % company reported lower profitability than its competitors;
- Net income in Q1 of 2018 declined year on year by -39.64 %, despite income growth by most of its competitors
Financial Analysis is not my calling but I don’t think anyone requires a Bachelor’s degree in that field to understand the implications of these market realities. And by the way, nobody gets a prize for guessing the root cause of these bad numbers right.
As a cyber security professional, securing information systems perfectly shouldn’t be your goal. Rather, you should aim to secure those systems enough. To this point, some will argue that the folks at EFX may have secured their systems enough – if that’s the case then good luck to them. What constitutes “enough” varies from one organization to another but business leaders should never be hesitant to ask tough questions when seeking to establish whether enough is actually enough.
When, as professionals, we allow ourselves to be lulled into a false sense of security, we do the profession a great disservice. Professionals of the highest level of quality and integrity should always be their own worst critics. This can only inspire them to constantly seek improvement opportunities. As Norman Vincent Peale famously said, “The trouble with most of us is that we would rather be ruined by praise than saved by criticism”.
As an enterprise defender, have you ever stopped to ask yourself, “How susceptible is my organization to a crippling cyber attack?”.
I look forward to sharing my thoughts with fellow professionals at the NaijaSecCon Cybersecurity Conference on this question later today.
You might want to ask yourself that same question and start thinking about what to do with your findings.