$67bn data center giant Equinix was hit by a ransomware attack last week, the latest example of the vulnerabilities facing critical digital infrastructure in 2020.
Per a company statement on 13 September: “At this time, our investigation is centered on information related to our internal business. The incident continues to have no impact on our customers’ operations or the data on their equipment at Equinix.”
A large data center provider like Equinix is critical digital infrastructure today, along with cloud providers and managed service providers. As we wrote in the wake of the Cognizant breach, at a systemic level, vulnerabilities in a critical digital service provider (like a data center or services provider) create a heightened risk for all companies that rely on the company for aspects of their digital transformations.
In short, shortfalls in the security posture of a company like Equinix can create vulnerabilities for any company that relies upon it for aspects of digital transformation programs—from digital strategy and IOT to cloud enablement. This poses a risk not just to the shareholders of the service provider but to the shareholders of companies whose operations are disrupted by such a breach. A core role of a data center operator’s business is to protect the data it hosts. Shareholders would be prudent to ask the question of Equinix’s Management team: “How well or poorly is the company doing in protecting its data and that of its customers? What proof do we have, absent a known breach?”
One step removed, shareholders of any company that experiences a breach in its digital infrastructure—for example, a Salesforce that utilizes Equinix data centers—should be able to obtain objective information about how Salesforce may have been impacted. Investors expect the same in every other facet of financial risk. For example, a production delay or safety flaw in a Boeing jet leads to questions from and analysis by shareholders of airlines relying upon Boeing to deliver its product, as this impacts the airlines ability to generate revenue and profit. The same is true of digital infrastructure.
Additionally, there is the issue of data disclosure. Short of regulation requiring better data security disclosure standards, customers and the market have no choice but to take breached companies at their word when they say “the incident continues to have no impact on our customers’ operations or the data on their equipment at X company…”
Considering the financial risk of mismanaged technology and the fact that companies generally do a poor job preventing breaches, it is long overdue for common, transparent cybersecurity metrics that enable both the C-suite and shareholders to understand how well or poorly technology is being managed.