Once you got over the initial horror of Equifax's colossal data breach last week, the most surprising thing about the news was how unsurprising it really was.
While massive by any measure — the 143 million affected U.S. consumers represents nearly half the U.S. population — the Equifax breach, which included names, dates of birth, Social Security numbers, and (in some cases) driver's license and credit-card numbers, doesn't even rank among the three largest in recent years. Americans, unfortunately, are getting used to data breaches that involve populations equivalent to entire countries or even entire continents.
Homeland Security Advisor Tom Bossert and Palo Alto Networks CEO Mark McLaughlin headline the Cambridge Cyber Summit on Oct.4 in Boston. Click here for more information and tickets.
Equifax, though, seems to have made its own situation worse, spawning headlines such as "Equifax breach response turns dumpster fire." And that's where the most salient lesson for modern companies lies: Equifax learned the hard way that, in a data breach, there are always two potential scandals: the breach itself, and then the company's response.
The Equifax event offers pointers on both.
In a statement that was sure to be closely parsed, Equifax acknowledged the sheer scale of the breach and that the company had first discovered the breach on July 29, more than a month before going public. The company's stock is down 20 percent since the announcement.
It was hard to miss the irony, as many news reports pointed out, that the breach happened at a firm whose core business includes safeguarding sensitive personal information and selling credit monitoring services to customers whose data are exposed. That critical narrative was likely unavoidable—even as we still don't know exactly how the breach occurred, so it's hard to assess just how sophisticated the attack against Equifax was—but the reality is that, in today's threat environment, no business should consider itself immune from being hacked. That's why it's so important to have a well-considered response plan; and why companies in the future will learn from what Equifax did wrong.
The way this story played out in the first 48 hours offers important cautionary advice.
How can companies put themselves in position to move faster but also better? And how can they make sure that they take account of the latest developments in the field? It starts with developing a plan that is clear-eyed about weaknesses and vulnerabilities and informed by lessons learned from past incidents. From there, companies should test their plan regularly with the executives who will have to implement it and make it work. This preparation cannot be limited to taking the paper plan off the shelf and reading it over once year in a dimly lit conference room. Preparation must incorporate real-world exercises at which communications, legal, IT, and senior management executives are faced with the same kind of wrenching decisions and partial information that would be present in a real crisis and struggle with how to respond. And because government can help in these types of incidents, the preparation should also involve advance outreach to regulators and law enforcement who may be involved in an actual event. Companies should know who to call immediately if they suffer a breach, both inside and outside.
This may all sound like obvious advice, but a recent survey my firm conducted found that over 90 percent of companies do not consider themselves well prepared for a crisis, and even those that have a plan either lack key components or do not test those plans frequently enough to know whether they would actually work. Most businesses still don't invest in security at the level they should, given the risks they face. Even after years of increasingly high-profile—and even destructive—attacks on companies and governments across the world, too many organizations don't have a good plan for what happens if they become the target.
It should be clear by now — if it wasn't already — that there is no moat wide enough or wall high enough to prevent these incidents from happening. To acknowledge that, however, is not to say that there is nothing companies can do to mitigate the risk. Boards across the country saying "There but for the grace of God" should start asking questions now.
If they wait until the crisis hits, they won't like the answer.
Commentary by John P. Carlin and David Newman. Carlin was the assistant attorney general for the U.S. Department of Justice's National Security Division (NSD) and served as chief of staff and senior counsel to former FBI Director Robert S. Mueller, III, where he helped lead the FBI's evolution to meet growing and changing national security threats, including cyber threats. He currently chairs Morrison & Foerster's global risk and crisis management group and co-chairs its national security group. He is also the chair of the Aspen Institute's Cybersecurity & Technology Program and a CNBC contributor.
Newman is a former special assistant to the president, associate White House counsel, and director on the National Security Council staff. He is currently counsel at Morrison & Foerster LLP, where he represents clients in a wide variety of national security and global risk and crisis management issues.
For more insight from CNBC contributors, follow @CNBCopinion on Twitter.