September 22, 2017
It's time to stop being complacent in our cybersecurity preparedness.
If anything has been learned from the Equifax breach, it is that companies need to stop being complacent and take cybersecurity defense preparation seriously. Equifax has confirmed that hackers entered their systems in May through a web-application vulnerability in Apache. The discovery and patch for this vulnerability was made available in March. Let me repeat that...MARCH! The credit-reporting agency had more than two months to take steps that would have defended the personal data of 143 million people from being exposed but THEY DIDN’T.
Bottom line is that breaches happen and they will continue to occur at an increasing level. Companies that are victim of breaches need to be more concerned with proving that they have taken responsible steps to prevent and respond to an event. If Equifax had been following the cybersecurity framework, then this breach may not have happened in the first place. There is a very good chance that Equifax may not survive this incident. Small and medium size businesses have now become the target for cybercrime, and in fact 60 percent who are attacked will shut down within six months after the attack. So what can organizations do to ensure they don’t end up in Equifax’s shoes?
3 ACTION ITEMS TO DO TODAY TO PREPARE
Remember when Yahoo lost $350 million of shareholder value in their sale to Verizon? There are many things that Yahoo could have done differently such as notifying customers in a reasonable time period as well as implementing technologies such as BlindHash that would have made it impossible for their passwords to have been stolen in the first place. All of this could have been done with a very small investment in cybersecurity preparedness, but instead companies are taking dangerous risks and putting their reputation and entire existence in danger.
Number One: Include a line item for cybersecurity preparedness in your budget. It’s amazing how many companies still do not have any resources dedicated to ensure proper defenses against an attack.
Security impacts every part of an organization and should be a budgetary consideration for each department. Millions of dollars are spent every year to build and protect brands and all it takes is one attack to have the brand tarnished, or even worse, erased. Imagine how busy the Equifax marketing team is trying to save their company's name?
Number Two: Virginia recently became the first state to adopt the NIST Cybersecurity Framework (NICE) and we expect other states to fall in line soon. All companies should adapt their defenses to ensure they are covering all 5 steps in the framework: Identify, Protect, Detect, Respond, and Recover. By implementing guidelines, technologies, and communication throughout your organization for all five steps, your company is placing themselves in the best position possible when a breach occurs.
Number Three: Ensure that your organization's certificate of insurance includes cybersecurity coverage. Fifty percent of reported cyberattacks are aimed at companies with less than $50 million in revenue. Cyber criminals see smaller organizations as soft targets and the attacks on these groups are increasing more each year. A single ransomware attack can and has taken entire organization downs.
Do not be lured into thinking that your organization is too small and insignificant to be the victim of a cyber crime. The thought of operating a business without liability insurance is unthinkable today. However, it is a fact that a cyber attack has a greater chance of shutting the doors than a liability claim does. Taking proper precautions, investing in security defense tools, and following best practices for privacy has proven to have a large return on investment.