Equifax cultural issues
Motherboard reveals a catalog of issues and failings within Equifax that seem likely to have contributed to, or patently failed to prevent, May's breach of sensitive personal information on over 145 million Americans, almost half the US population.
Although we'll be using the Equifax breach to illustrate November's awareness materials on privacy, we could equally have used them in this month's module on security culture since, according to BoingBoing:
"Motherboard's Lorenzo Franceschi-Bicchierai spoke to several Equifax sources who described a culture of IT negligence and neglect, in which security audits and warnings were routinely disregarded, and where IT staff were unable to believe that their employers were so cavalier with the sensitive data the company had amassed."
'A culture of IT negligence and neglect' is almost the opposite of a security culture, more of a toxic culture you could say. Workers who simply don't give a stuff about information security or privacy are hardly likely to lift a finger if someone reports issues to them, especially if (as seems likely) senior managers are complicit, perhaps even the source of the toxin. Their lack of support, leadership, prioritization and resourcing for the activities necessary to identify and address information risks makes it hard for professionals, staff members and even management colleagues who do give a stuff .... and that's why we are determined to help organizations educate and motivate management through security awareness and training materials written for that specific audience, not just staff.
In case it's not crystal clear already, consider this. Which of these do you think would have a better grip on its information risks, privacy and other compliance imperatives:
An organization whose security-aware managers understand the issues, proactively supporting, encouraging and leading the associated information risk management activities
- or -
One whose managers pay this no attention whatsoever, perhaps even actively undermining any attempts to deal with the issues?