Last week, credit reporting bureau Equifax reported that personal data belonging to approximately 143 million U.S. consumers was compromised in a massive information breach that began in mid-May of 2017 but not discovered until July. Organizations may be surprised to know how easily this breach could have been prevented, and that there are steps that can be taken to significantly reduce their risk of falling victim to a similar data breach.
Equifax has learned that its attackers remotely exploited an existing vulnerability in Apache Struts, a web application development framework that allowed the hackers to gain unauthorized access to stored information. The critical vulnerability was revealed by Apache in March 2017, along with recommended patches to fix it, nearly four months before the breach was discovered, but Equifax mistakenly failed to apply the available patches in a timely manner. If those fixes had been applied, it’s possible this breach would have been avoided, and so much personal information would not have been compromised.
For organizations that have critical information assets, such as customer data and proprietary corporate data, the risk of a data breach now is higher than ever. Symantec, a global leader in cybersecurity protection, suggests the following steps that any company can take to monitor and protect its important information:
1. Enforce security through IT compliance controls: Companies can reduce the risk of exposing sensitive information by conducting regular assessments on technical controls like password settings, server and firewall configurations, vulnerability scans and software updates/patches.
2. Stop incursion by targeted attacks: The top four means of hacker incursion into a company’s network are through exploiting system vulnerabilities, default password violations, SQL injections and targeted malware attacks. To restrict these avenues into the organization’s information assets and minimize attacks, companies can consider implementing a combination of the following: core systems protection, IT compliance controls assessment, penetration testing and endpoint management.
3. Prevent data loss: Even if a targeted attack is successful, it’s still possible to prevent a data breach by using network software to detect and block the extraction of confidential data. In particular, data loss prevention and security event management solutions can be combined to prevent data from being transmitted outbound.
4. Identify and protect information: In today’s digitally connected world, companies must accurately identify and proactively protect their most sensitive information wherever it is stored, sent or used. By enforcing data protection policies across servers, networks and endpoints throughout the enterprise, risk of a data breach can be progressively reduced.
5. Integrate prevention and response strategies into security operations: A data breach prevention and incident response plan that is integrated into the day-to-day operations of the security team and also involves key stakeholders is essential in protecting your company.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.