If you haven’t heard about the Equifax breach by now, you’ve likely been living under a rock. Earlier in September, credit reporting agency Equifax revealed attackers used an exploit on its website to access the records of around 143 million US citizens. It’s one of the largest security breaches ever, and one that’s put everything from financial data to social insurance numbers at risk.
At the time of writing, whether or not the attack was state-sponsored is uncertain. What is abundantly clear, however, is the fact that it was entirely preventable. Although Equifax reacted shamefully slowly to the breach, it was at the very least candid about one thing: this all happened because there was a server flaw that it failed to patch.
The existence of such an obvious, easily-exploited security flaw in a company that routinely deals with such sensitive data is troubling, at best. Even though Equifax has recently taken steps to improve its security, there are more companies with its exact security posture. You need to make sure your business is not among them, especially if you’re working in a regulated industry.
Fortunately, this incident offers a few lessons in that regard:
- Make sure your servers are always up to date. This entire incident – and many like it – could have been easily prevented if Equifax had simply kept its systems up to date. Don’t ever skip applying security patches. The fact is, most cyberattacks aren’t the result of complicated, sophisticated methods.
- Organize your data properly. When it comes to a data breach, you need to know immediately which data was compromised – otherwise, you need to assume everything was. By properly archiving and organizing your data, you’ll not only be able to better control access to the most sensitive stuff, you’ll also be able to determine what information is at risk when an attack occurs.
- Respond promptly. When a breach occurs, you need to react immediately. You need to spread the word to both customers and stakeholders, and set to work mitigating the damage.
- Follow the news. Education is one of the most important keys to preventing a security incident – and not just for employees. It’s up to every decision-maker in an organization to pay attention to what’s generating buzz in the media, whether it’s ransomware or a rash of state-sponsored attacks.
- Embrace security. It’s unclear what sort of technology Equifax had in place to prevent unauthorized access, but it’s clear that it wasn’t enough to protect the data it managed. You need to be better. Invest in cybersecurity technology and training, and take the necessary steps to promote a cybersecurity culture within your organization.
- Pay attention to your partners. Even if you practice proper security within your own business, that doesn’t mean the third parties you work with will also do the same. You need to make sure you’ve security controls on your sensitive data that ensure it stays protected even when outside your perimeter.
Equifax will doubtless faces some severe consequences for failing to properly protect its data – both from customers and from regulators. It’s not the first firm to suffer in such a way, and it most definitely won’t be the last. By following the advice we’ve laid out in this piece, you can go a long way towards ensuring yours won’t be the next.