The Equifax effect: IT pros and business data security
Good advice from IT pros can reduce chances of a data breach
With the latest cyber hack of Equifax in the news, consumers and businesses alike are scrambling to check on their data’s security, and taking steps, such as freezing accounts, to mitigate any possible financial damage. However, the best strategy is to be pro-active in protecting data before breaches have a chance to occur in the first place. Equifax’s failure to do so is a cautionary tale for businesses and other organizations of what not to do about handling sensitive data.
The back story
The Equifax attack occurred back in May of 2017 and was discovered in July, but not revealed publicly until earlier in September of 2017. The attackers exploited a known vulnerability in the Apache Struts’ web-application software, an enterprise platform used by numerous organizations. The attack turned out to have been entirely preventable, according to Rene Gielen, vice-president of the software firm, citing a patch with installation instructions available to users two months before the attacks ever began.
The breach left over 143 million people’s credit histories vulnerable, with lawsuits pouring in by the dozens. Names, social security numbers, bank accounts, credit card information – all were left bare for the hackers who had plenty of time to access sensitive information.
Could this happen again?
According to credit expert and former FICO employee John Ulzheimer quoted in Business Insider, the short answer is yes. There is no perfect way to keep out determined hackers, who have become more sophisticated in their hacking methods as well as taking advantage of obvious flaws, like the one which occurred in the Apache Struts’ software. That said, there are ways to make data storage and related systems less attractive to potential hackers.
What can be done to safeguard data for now?
There are two primary options that consumers, including businesses, can take to reduce damage from a hack:
- Fraud alert notice– this free service allows consumers to call one of the three credit bureaus to notify that possible fraud has or could occur, requiring that anyone pulling a report must verbally verify the applicant’s identity for a future loan or other credit transactions.
- Credit freeze– this removes a credit report from circulation and prevents anyone with whom there is not already a credit relationship from accessing the report. There is a fee (usually between $5-10) to set up well as another to remove it if applying for a new mortgage or car loan. Each credit bureau must also be notified individually:
- Equifax – 1-800-349-9960
- Experian – 1-888-397-3742
- TransUnion – 1-888-909-8872
A credit freeze can’t prevent thieves from changing existing accounts, continued, close monitoring will still be necessary.
What steps can businesses take for the long term to protect their data?
Security software giant Symantec offers a number of common-sense precautions and actions that businesses can use to sharply reduce the chances of a hack by making their data harder and more time-consuming for a would-be hacker to breach by implementing the following suggestions:
- Hire a trusted IT professional to perform a security audit of your entire system and IT infrastructure, from computers to networks and mobile devices. If vulnerabilities are found, be sure to have them immediately resolved.
- Raise awareness among staffers about the critical role they play in maintaining security. Human error and carelessness are a major factor in cyber attacks and security breaches, so educate employees and others with access to data to be vigilant and mindful of where and how they use business data. Speaking of users, the smaller the group with data access, the better.
- Use multiple, strong passwords and change them on a regular basis, making it harder for hackers to figure out and steal.
- Encrypt data so that if a hard disk or thumb USB is lost or stolen, whoever accesses the data will be unable to read it.
- Backup data frequently and regularly, to ensure that critical data will be available if a hack occurs or from a sudden power loss or other system damage.
- Develop and enforce security policies among all users with access, including mandates such as no security information to be given over the phone, or that all devices connected to the business’s network have approved security software installed.
- Use caution in allowing employees to use their own (BYOD) devices; a recent survey showed that a fifth of employees had corporate data on their smartphones, which could create a serious breach if the phone were to be lost or stolen. All devices connected to the business’s network should use virtual private network (VPN) access for additional protection.
- Pay attention to the mobile workforce’s security, using extra caution when in open wi-fi areas, such as coffee shops or lobbies, where potential hackers often hang out on the prowl for careless users.
- Create multiple layers of security for each device utilized – from desktops, mobile devices, file server, network endpoint and email server. Begin with protective firewalls, with additional security layers such as contact forms and login boxes, allowing a company to be immediately alerted if an intrusion occurs.
- Consider using a monitoring service, such as HackAlert, to protect site visitors by detecting malware codes that may have infected the system.
- Avoid storing sensitive data for extended periods – purge passwords and similar records on a periodic basis, even if it makes for a bit of customer inconvenience having to re-enter passwords and other identifying information.
As more hackers and others with malicious intent gain experience and sophistication in their methods, the cost of cyber breaches is estimated to surpass the $2 trillion mark by 2019 according to a model published by the RAND Corporation and Juniper Networks. With the increasing chances of being hacked and the possibility of subsequent lawsuits, fines and investigations, a company who ignores the handwriting on the wall, as well as IT experts’ advice for prevention and intervention, will do so at their peril.