Equifax breach: A learning opportunity to get ahead of the constant threats

If you haven’t heard already, Equifax—one of the “big-three” U.S. credit bureaus—announced a data breach affecting 143 million Americans. This included Social Security numbers, birth dates, and addresses.

When a breach this size hits the news, most outlets focus on attribution (who did it?) or sensationalism. But there is a much more practical question for your organization: When is the last time you demonstrated that your security controls actually work?

The Martial Arts of Defense

Imagine you are learning a martial art—karate, boxing, or jiu-jitsu. You can read every book, watch every instructional video, and practice the moves on your own. But what happens the first time you encounter a legitimate, physical threat?

Without real-life training, you’ll likely go into shock. You’ll fumble. You’ll forget everything you taught yourself because you haven't built the "muscle memory" of a real fight.

This is exactly how most organizations treat their defensive infrastructure. They have the "books" (policies) and the "gear" (firewalls), but they’ve never actually stepped into the ring.

The Three Pillars of Readiness

If your organization isn’t participating in these three activities, you aren’t ready for a breach—no matter how great your security tools are:

1. Tabletop Exercises: A low-stress meeting of key stakeholders to walk step-by-step through a disaster scenario.

1. Drills: A hands-on test where staff carry out the actual processes and mitigations required during an emergency.
2. Full-Scope Offensive Attacks: Real-world simulations (like Red Teaming) where testers try to bypass your defenses without a pre-defined "path."

How to Build Your "Fight" Strategy

1. Start with the Tabletop

A tabletop exercise isn't just for IT; it should include legal, PR, and executive leadership. Use the Equifax breach as your scenario.

• The Scenario: Imagine those 143 million records are yours.
• The Walkthrough: Who is the first person called? What is the legal timeline for notification? How does the PR team handle the influx of customer calls?
• The Goal: Take the guesswork and panic out of the situation before it becomes a live crisis.

2. Move to Targeted Drills

While drills are more limited in scope than a full attack, they are perfect for testing specific gaps:

• Backup Recovery: Don't just check if the backup "finished." Try to restore a mission-critical database from scratch.
• Failover Tests: Manually fail over services to secondary clusters to see if your redundancy actually holds up.

3. Analyze and Remediate

Running these exercises will inevitably bring up concerns or limitations. This is a win. It is far better to identify a bottleneck in your communication chain during a meeting than while your company is trending on the nightly news.

Summary

In a future post, we’ll dive deeper into the specifics of creating effective drills and tabletops. In the meantime, use the mistakes of others as a low-cost learning opportunity. Attackers don't follow a "scope"—they play for keeps. It's time to find out if your defenses can actually take a punch.