It's not so easy to keep up with technology. (alphaspirit/Shutterstock.com)
The in-the-news Equifax hack, exposing 143 million people's personal data to unknown cybercriminals starting in March 2017 but not made public until mid-September that year, was entirely avoidable. The company was using out-of-date software with known security weaknesses. But it appears that with Equifax, as with many organizations, those were just the beginning of the problems.
During the past three decades we've researched, developed and tested millions of lines of software for many purposes, including national defense and security, telecommunications, financial services, health care and online gaming. Over the years we've observed that the technical means by which a breach happens often reveal software vulnerabilities that need fixing.
But when the digital weaknesses are publicly known before an attack happens – as with the Equifax case – the more important element is why companies don't move more quickly to protect themselves and the people whose data they store. As suggested by the sudden departure of three top leaders (including the CEO) at Equifax, some of the problem is technical, but another big reason has to do with management and organizational structure.
Equifax, like most Fortune 100 firms, was using an open-source software platform called Apache Struts to run parts of its website. Every major piece of software has vulnerabilities, almost inevitably. When they're found, typically the company or organization that writes the software creates a fix and shares it with the world, along with notifications that users should update to the latest version. For regular people, that is often as easy as clicking a button to agree to update an operating system or software application.
For businesses, the process can be much harder. In part that's because many companies use complex systems of interacting software to run their websites. Changing one element may affect the other parts in unpredictable ways. This problem is especially true when companies use the same hardware and software for many years and don't keep up with every update along the way. It only makes matters worse when businesses outsource their software development and maintenance, denying themselves in-house expertise to call on when problems arise.
The best practices of cyber hygiene suggest combining development and operations (known as "DevOps") to simplify the process of regular and prompt patches and updates. Not practicing good cyber hygiene is like a doctor not washing her hands – doing so may take extra time and energy, but it protects thousands of patients from infection.
When cyber hygiene works well, it's quite effective. In April 2017, news broke of a major flaw in iOS and Android systems that allowed hackers to remotely take over smartphones via Wi-Fi. Google and Apple immediately addressed the issue and distributed patches to fix it. This quick response indicates those companies have development and operations processes that meet industry standards for rapid and reliable writing, testing and rollout of software updates.
Trouble at the top
Beyond the inherent challenges in technology and in current business practices, corporate management can play a significant role in whether problems become disasters.
Companies that have systems for regular investment in software maintenance and rapid reaction to security vulnerabilities can respond to problems very quickly, as Apple and Google did. Equifax's slow response suggests it wasn't well prepared that way. And the company's history of outsourcing development to remote off-shore locations suggests there may not have been anyone in-house who had worked on the software needing updating.