How Equifax Continues Pioneering in Cybersecurity

March 21, 2024

CYBERSECURITY IS A COMPANY-WIDE PRIORITY AT EQUIFAX. In 2023, we increased efficiency, reduced friction and reinforced our internal security culture, while also collaborating externally to make the world more cybersecure. These and other improvements are highlighted in our newly-released 2023 Security Annual Report.

Equifax Chief Information Security Officer and Chief Technology Officer Jamil Farshchi recently sat down with Keisha Lazenby, our SVP of Security Governance & Compliance, to unpack the report’s significance. Watch the full interview or read its highlights below. 

Q: What’s the significance of the Security Annual report?

A: It documents another year of raising the bar. And it underscores our commitment to transparency. I hope other organizations can read through this and glean some insights, too. We want others to learn from our work so that they can put their programs in the best positions possible.

Q: You talk about the attackers’ playbook (“fast, adaptable and relentless”) in the report. Explain how we’ve adopted a similar mindset.

A: If you look at the bad actors, they've used super high-tech deep fakes to compromise organizations, and they've used super low-tech things like tricking tech support help desk workers. And they've been successful.

One key theme though, across all the attacks, is that they're relentless. They’re adaptable. And they're super fast. So I don't know why we should operate any differently. If we want to truly protect our organizations, we need to be nimble. We need to be able to respond as quickly as possible. We've done that this year multiple times. Examples include:

  • Replacing knowledge-based authentication (KBA) with biometric caller authentication for our help desks in a two month span.

  • Briefing all of our employees on the deepfake threats before cybercriminals started successfully attacking other businesses with them.

  • Applying compensating controls for new vulnerabilities even before patches are available — and doing it with speed and rigor.

Q: The report covers the plan to “eliminate secrets” within your approach to security. What do you mean by that?

A: When we talk about secrets, we're talking about the static credentials that we all have throughout our organization. So your passwords, for example. And security questions like “What’s your mother’s maiden name?”

Almost all successful hacks are due to credentials. When we eliminate them — using more dynamic, inherently secure methods like biometrics instead — the attack surface shrinks significantly. Plus it helps employees do their jobs faster. It’s a win-win!

Q: How are we enabling our leading security practices to be incorporated by other organizations and individuals?

A: I think security is a team sport. We will only win if we can share and learn from each other. So as we have for the past several years, we continued this work in 2023:

We want to uplift the broader community as much as we can.

Q: The Security Maturity score (which measures how well a company can adapt to cyber threats and manage risk over time) improved in 2023 and continued to outperform all major benchmarks. What drove that?

A: We've instilled the culture that we need top to bottom. From the board all the way down throughout the company. We've hired top talent. We've invested more than $1.5 billion into our security and technology capabilities. 

It was never one thing. With any of the big challenges that I've ever faced in my life, there's never just one single answer for it. We took that same approach here. It was a multitude of different facets.

We continue to focus on being one day better, because with those dynamic, resilient, adaptable adversaries out there, if we rest on our laurels, it's going to be a tough time for us. Continuing to move forward, continuing to make the investments we need, and ultimately keeping the culture we’ve built has really led us to success.

Read the full report here.