I was reading about the conclusion of the Okta breach. And, I thought it was remarkable that Okta actually did something. They changed their contracts so that Okta now manages third-party endpoints. And they fired the contractor where the breach originated.
Okta will now directly manage all devices of third parties that access our customer support tools, providing the necessary visibility to effectively respond to security incidents without relying on a third party. This will enable us to significantly reduce response times and report to customers with greater certainty on actual impact, rather than potential impact.
What impressed me was that the security team clearly got their way. I think we’ve all seen organizations make excuses for the status quo. But, here’s an example where a company had practical options and took them.
I don’t like Equifax and won’t forgive them for their breach. But, they also seem to have changed significantly based on the public sharing of their Security Controls Framework.
So often it seems like nothing is said and nothing is done after a cybersecurity breach. Companies simply patch things up to get back to business and don’t fundamentally change how they do business.
Have you seen any exemplary cybersecurity preparation or responses by an organization?
References
- Okta Ends Investigation Into Lapsus$ Breach | Decipher
- Equifax Releases Security and Privacy Controls Framework | SecurityWeek
- Controls Framework | Equifax
- Basic Cybersecurity Blueprint | Why Ransomware Response Matters More Than Protection | SecurityWeek
- Former Uber CSO Joe Sullivan Avoids Prison Time Over Data Breach Cover-Up | SecurityWeek