Former Equifax CEO Richard Smith says he is "deeply sorry" for the security breach in which sensitive personal information of as many as 143 million Americans was compromised. The key parts of this sentence are the word “former” and number “143,000,000.” The sheer size of this breach required the CEO and numerous other executives to lose their jobs. Richard Smith will also be testifying in front of the House Energy and Commerce Committee tomorrow. Before this incident was reported in the media, Equifax was a well-respected company – now, millions of people will potentially have their accounts hacked as a result.

To make it more challenging for the company, numerous state lawsuits have been filed and the company has lost far more than $2 billion dollars in stock value so far.

The worst part of this breach is it could have been prevented by the company spending a very small amount of money – relatively speaking on an outside auditing and documentation package from an IT consulting firm. The problem would have been caught and then it could have been addressed.

It may not seem fair that the CEO is held liable for this problem but there is one reason why it is great that this is happening publicly. Mr. Richard Smith is becoming the poster child (sadly with many other CEOs) for the idea that Cybersecurity is not an IT issue, it’s a business issue. If companies and state, city and federal government agencies aren’t setting up a cybersecurity culture in their organizations, they are likely to be the next victims.

Here are some quick areas all corporate management needs to be aware of:

1.    Cybersecurity training is crucial.

2.    Auditing and documentation must be performed regularly to ensure systems are secure.

3.    Anomaly detection should be running constantly to detect threats as they emerge.

4.    Penetration testing shows if systems can easily be reached from the outside. Here is a case where this test might have saved two company’s’ reputations from being destroyed.

5.    Network forensics for when a breach eventually occurs. The bad guys always seem to get in eventually.

6.    An action plan to follow when a breach does occur. Once it happens, few will have the clear heads needed to “wing it” correctly. Equifax botched it’s response in what is being called a PR catastrophe.

If companies – regardless of size, start realizing cybersecurity is a business issue, they will be far more prepared for the inevitability of a breach and be able to respond quickly to minimize damage to the business. The tools above should be used by all companies and an outside firm is 100% necessary to check on any in-house workers to ensure the company’s crucial information is being secured properly.