+1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Could basic password security practices have helped prevent the latest Equifax lawsuit?

mm

Written by Chris Smith

November 7th, 2019

Fallout from the 2017 Equifax data breach is back in the news as a new class-action suit consolidated 373 previous lawsuits into one. Unlike previous lawsuits filed by Equifax customers, the latest action comes from shareholders that allege the company didn’t adequately follow or disclose security practices, including poor password management.

If you google, “what is the most common password?” you’ll find numerous compilations of the weakest credentials, and in every list, the likes of “admin,” “password” and “123456” at the top of the list. We’ve all heard this advice a million times: use strong passwords, remove defaults, and keep the keys in a secure location. So why do even the largest corporations in the most data-sensitive industries sometimes drop the ball on the most basic cyber defense strategies?

Fines are expensive and embarrassing; class action lawsuits … can shut a company down

You only have to look at the number of high-profile cyber security breaches to see that Equifax is not alone. Many IT teams continue to make poor credential choices. Inadequate privileged access management leads to fines for non-compliance and class action suits that implicate executives for lack of oversight. Fines are expensive and embarrassing; class action lawsuits from customers or shareholders can shut a company down.

Lack of password security knowledge is not an adequate defense

As this latest lawsuit shows, IT leaders, executives and boards need to be aware of how passwords are handled and know the best questions to ask to make sure best practices are being followed. As recent lawsuits have shown, password management has become such as fundamental security requirement that saying you “didn’t know it was important” is not a legitimate defense.

On the other hand, if you can demonstrate that your company was following security practices in compliance with defined standards, even if you experience a cyber-attack you may be protected from lawsuits under Safe Harbor provisions.

Password security practices that could have helped prevent the latest Equifax breach fallout 

Set strong passwords: Passwords should be long and complex, with a mix of letters, numbers and characters. PAM tools remove the need for users or administrators to memorize passwords (or even create them in the first place) as creation and updates take place automatically behind the scenes.

Remove defaults: Typically, in a new software or hardware set up, Admin passwords are set to default values. Before these systems go into production, default passwords need to be changed.

Encrypt personal and sensitive information: Confidential information—including passwords used to access that information—should never be stored on a public-facing web server. Only authorized users who have the appropriate decryption key should have access.

Siloed password decisions lead to inconsistent security

As companies grow larger, local offices and business units often make their own decisions about IT processes and supporting tools. As a result, one group may have strict policies and oversight, while another allows more freedom. Some teams are well trained on proper security behavior while others aren’t. Especially as companies merge and acquire new businesses, system integration takes time and an organization can become a patchwork of security practices and technologies.

Privileged access management is not an optional security strategy that can be implemented in some locations but not others. If one location of a company has strong password management but another doesn’t, the entire company can be exposed to a security breach. If the breach is made public, the entire company’s brand reputation is at stake even if only one location was affected.

TO DO: Set consistent security policies across your organization and ensure every location and department is aware of them

Start by customizing Thycotic’s PAM policy template to match your organization’s password policies and compliance requirements.

This way even if technology decisions take time to synthesize and even if you determine that different groups can choose their own tools, everyone will be held accountable to the same standard. You’ll reduce your risk of a data breach and protect your company from fines and lawsuits from which you may never recover.

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS


The following two tabs change content below.
mm

Chris Smith

Chris has over 20 years of software marketing experience, and as VP of Product Marketing helps define and drive marketing strategy, messaging & positioning, sales enablement, and marketing content creation. Most recently Chris was the CMO at Zenoss, a commercial open source software company based in Austin, TX. Chris has also held marketing leadership roles at Quest Software (acquired by Dell), Alert Logic, Bindview (acquired by Symantec), Postini (acquired by Google), PentaSafe (acquired by NetIQ), and BMC Software. Chris holds a BS in Electrical Engineering from Texas A&M and an MBA from Rice University.