If you have a credit card or an internet connection, you are probably well aware of the Equifax security breach that exposed personal information belonging to 143 million customers in the U.S., Canada, and the U.K. The number of victims makes the Equifax breach one of the largest and most damaging in history.

Security analysts argue that the Equifax is one of "many organizations [that] are just not incentivized enough to make changes because there has been little fear of financial liability."

It all amounts to a humbling, painful lesson for Equifax and its executives. But if the multitudes of other companies that deal with our private, sensitive data think it’s a lesson with no relevance for them, they’d better think twice. Banks, health care systems, utility companies, telecom providers, colleges, employers, tax revenue departments, insurers, money managers — all typically are custodians of Social Security numbers and a wealth of other private data. Consider the Equifax debacle a loud wake-up call.

What distinguishes the Equifax fiasco is that Social Security numbers were exposed. Those are master keys that identity thieves can use in a variety of ways — to apply for credit as the faux you, steal your medical benefits or even commit crimes in your name.

Just as important, though, is the lesson this disaster provides for the myriad other companies and agencies responsible for keeping our private data safe. They can heed that lesson and tighten their security. Or they can risk facing the fallout Equifax is enduring now.

I’ve put together a list of tips that will assist you keep your company data secure.

  1. Assume you are already hacked. At all times. If you build your operations and defense with this premise in mind, your chances of detecting these types of attack and preventing the breach are much greater than most organizations today.
  2. The root cause of the breach was a website vulnerability but the data lived on the endpoint. I don’t have any details on the initial attack other than “Equifax discovered that criminals exploited a U.S. website application vulnerability to gain access to certain files,” but too many times when it comes to data protection we focus too often on the network and not enough on the data. When we do focus on the data, we focus on malware and not enough on attacks. Attackers will use any and all methods they can (typically the cheapest and fastest) to gain access. You need solutions that provide the full end-to-end picture of an attack.
  3. Detection still takes too long. Whether it’s 10 days, 30 days, 60 days or 210 days, the fact remains that is entirely too long for an attacker to be in your systems. We need to better enable defenders to detect and respond. In this particular case, their detection of the breach was shorter than most; however, the length of time the attackers had access to systems and data left 44% of the population vulnerable to identity theft.
  4. Visibility remains the key to detection and prevention. You cannot detect what you cannot see. It’s that simple. You need the right data to detect and prevent these types of attacks. Without it, what shot do you have? If you don’t have it, go get it. Remember, you are operating as if you are already breached. You wouldn’t walk around your house at night without turning on the lights or a flashlight if you thought someone was in your house, would you?
  5. We are all in this together. Data is linked. One breach can be leveraged for the next or the next. Think of how this data or the data from the OPM breach can be leveraged for intelligence purposes or cybercrime? We rely (unfortunately) on a social security number to prove who we are. Most people now know that and take protecting it semi seriously. What happens when the guardians of this data lapse? Maybe sharing a lesson from another team would have helped…maybe it wouldn’t have, but we have to talk about this as a community. We really have to take the lessons learned seriously and drive change in our own programs.
  6. It does not matter how big you are or the resources your team can access. I am assuming Equifax has a larger information security budget than most organizations. As defenders, we always think, “If I only had enough money or people I could solve this problem.” We need to change our thinking. It’s not how much you spend but rather, is that spend an effective use? Does it allow your team to disrupt attacks or just wait to be alerted (maybe)?
  7. It’s time we really start to look at options for replacing the social security number. We have two factors now for all kinds of things. Except what really matters most for most people.
  8. Encryption is your friend. These efforts are never easy to start and the projects take time, but stick it out — the benefits far outweigh the risks.
  9. Web application security is still a thing. Markets move and focus shifts over time, but WAF’s and dynamic testing are still valuable tools. OWASP groups meet all the time.
  10. Visibility is more crucial than ever. Did I say visibility twice? Because it’s that important.­

Do NOT make the same errors that Equifax has made! To ensure that not only your business data is secure but also that your clients’ data is equally protected, email us at info@synergyinc.net and request a *Free Network Data Security Assessment now! All you need to do is include your company name, your name, and your contact info. We’ll take care of the rest.

*Offer valid to qualified prospects with 5 or more computers and a minimum of 1 server.