Thoughts on the Equifax Data Breach
Everyone should know all too well, it’s not a matter of IF but rather a matter of WHEN a network will be compromised. Our personal identifying information (PII) is a “high value” target to hackers. The recent Equifax hack where over 145,000,000 people had their PII stolen is a perfect case study. This cyber-attack shines a spotlight on the mistakes that were made by Equifax.
1 – A known vulnerability in their web software was left unpatched for two months. There were numerous announcements concerning this vulnerability and security patches made available to remediate the software vulnerability but the company took no action.
2 – The company failed to announce the hack in a timely manner.
3 – Several high ranking managers made large sales of their company stock just prior to the announcement. The SEC is currently investigating.
4 – If there were policies in place that governed a responsible and effective response to the hack were they followed? Did policies even exist?
5 – Were all safeguards in place and updated with the latest threat management software?
6 – Any entity that has electronic records containing PII, or any other valuable data, needs to have network penetration testing done on a regular basis. If Equifax had run regular penetration and vulnerability tests they would have detected the vulnerability in their web software and patched it immediately.
Whether you are a large corporation, a small to medium business, government, or just a home with PC’s, laptops, smartphones, etc. you need to take due diligence and secure your electronic assets.
At a recent North Rockland Chamber event an owner of a local business asked me, “I only have two PC’s and a couple of smartphones that connect to my business network. Do I need a threat assessment?” My answer was, “if you turned on your computer one morning and the screen had a message saying all of your business files have been encrypted and a bitcoin ransom was demanded and you couldn’t access your customer data, invoicing, etc. what would you do? His eyes widened and he understood that no business is too small for cyber security planning.