The WSJ had a nice article on the Equifax breach. Lots of lessons in there but most are things they should have known.
Equifax known about the vulnerability or exposure before the attack. Now, if the decision was intentional (accept the risk) or not, the risk was managed poorly. Equifax is in possession of Personal Identifiable Information (PII), Equifax is under a legal obligation to protect information, their business, and customers which they failed to do.
Learn learned: Doing the right thing, doing things right. Do it right the first time.
Organizations need to conduct an effective and efficient risk evaluation and cost analysis (risk management and enterprise risk management) to determine how much risk the organization can accept and the cost to accept the risk.
When the analysis and evaluation are finalized or when risk is detected, a decision much is made:
Avoid the risk if possible, reduce, share, accept it.
Accepting the risk should be the last option.
Accepting risk is a good risk management action, but it is not a chance to take without careful evaluation. Because there is a lot at stick: ethics, morals, lawsuit, and finance. If the cost to avoid it is less than the cost to repair it, do not allow it to break.
Pascal Allison says
The WSJ had a nice article on the Equifax breach. Lots of lessons in there but most are things they should have known.
Equifax known about the vulnerability or exposure before the attack. Now, if the decision was intentional (accept the risk) or not, the risk was managed poorly. Equifax is in possession of Personal Identifiable Information (PII), Equifax is under a legal obligation to protect information, their business, and customers which they failed to do.
Learn learned: Doing the right thing, doing things right. Do it right the first time.
Organizations need to conduct an effective and efficient risk evaluation and cost analysis (risk management and enterprise risk management) to determine how much risk the organization can accept and the cost to accept the risk.
When the analysis and evaluation are finalized or when risk is detected, a decision much is made:
Avoid the risk if possible, reduce, share, accept it.
Accepting the risk should be the last option.
Accepting risk is a good risk management action, but it is not a chance to take without careful evaluation. Because there is a lot at stick: ethics, morals, lawsuit, and finance. If the cost to avoid it is less than the cost to repair it, do not allow it to break.