In the immediate aftermath of a significant cybersecurity breach, particularly one involving the personal information of millions of individuals, a rush to attribution customarily begins.

In many instances, as Equifax recently found, when an organization is attacked, they face blame and criticism for the shortcomings of their security practices. But is that fair, and more importantly, does it miss the point?

The reality is that Equifax didn’t deserve to be compromised any more than anyone who may have had their identity stolen as a result of this incident. Even the best, well-funded businesses and security teams encounter defensive gaps and process failures.

Equifax logo
Bloomberg News

In the days after the breach, several reports suggest that the compromise occurred due to an unpatched web application vulnerability. Patching vulnerable applications is the No. 1 action an organization can take to reduce the likelihood of a compromise. However, it’s not uncommon for organizations to postpone or delay patching until well after a patch is available due to factors such as compatibility problems with the patch or impacts to productivity and uptime.

Whether the attackers used an unknown vulnerability, or one known and made exploitable by delayed patching is not the underlying issue. A lack of appropriate data protection practices, combined with a business model that relies upon the amassing of our personally identifiable information (PII), is the real problem. It’s time we started dealing with the fundamental issue — the credit bureau industry’s reliance on information about people to create a market where that information has value and then failing to properly protect that information.

The current business model employed by the credit bureau industry continually uses and accesses all of the information necessary to facilitate identity theft, PII and Social Security numbers. This outdated model motivates the compromise of our personal information in order to facilitate financial fraud.

Employing a model of this nature comes with a responsibility to protect the systems that are the underpinning of our financial identities by leading the industry in Time to Detect (TTD) breaches and incidents.

With threats evolving at breakneck speed and no shortage of determined attackers, there’s no such thing as perfect security. Credit bureaus can address identity theft by advancing the robustness of their security processes and abandoning outdated systems that rely on our personal information. But more important, reducing the frequency and impact of security incidents demands a systematic change in our approach to security. Only a systematic change that eliminates archaic practices and shrinks TTD will have a meaningful impact.