How to Avoid Becoming the Next Equifax

U.S. credit bureau giant Equifax is now known as the big bad wolf when it comes to massive data breaches, but how well do you really understand what happened, the crippling impact, and how easily your company could be in their exact same shoes? It may seem far-fetched that Equifax, a company with over 10,000 employees and a 2016 revenue of $3.144 billion, could be in the same league as any other company, but for hackers, all victims hold a special place in their cold dark hearts.

How Hackers Managed to Attack Equifax

What exactly happened with Equifax and how bad is it? On July 29, 2017, employees discovered criminals had exploited a website application allowing access to files containing confidential data including names, birth dates, social security numbers, addresses, driver’s license numbers, and credit card numbers. The extensive impact to consumers is mind-numbing. In the US alone over 145.5 million citizens were exposed in addition to 693,000 British and 8,000 Canadian citizens for a whopping grand total of 146.2 million consumers. Affected consumers are at an elevated risk of identity theft, economic loss, and ruined credit ratings.

Equifax has gained movie star notoriety about how not to handle corporate security, not only due to the size of their breach but also the way it was handled. The security trouble was discovered and addressed in July of 2017, but not released to the public until September 7, 2017. Once released, Equifax didn’t have a clear communication and response plan that made their customers feel safe again. Further adding to their woes, prior to the public statement release four Equifax executives sold substantial amounts of company stock totaling $1.8 million, unleashing a public relations hailstorm of epic proportions. A special committee investigation has since confirmed the Equifax executives had no prior knowledge of the security leak, had received advance approval, and followed proper company protocol for stock trades, but at the time it only added to their problems.

The fall-out for Equifax, both financially and a badly tarnished reputation, has been extreme. Within weeks of the incident announcement Equifax CEO, Richard Smith resigned along with the CIO, and Chief Security Officer. The company is currently the subject of 240 class-action domestic lawsuits and under more than 50 other investigations in the U.S., Canada, and the UK. It’s a good thing Equifax made a lot of money in 2016 because this little snafu is going to have enormous financial implications for a long time. Equifax estimates to date they’ve spent $90 million on IT security improvements and covering the cost for credit monitoring and identity theft protection services for the millions of customers potentially affected by the breach. Their stock is down 24% and the IRS suspended a $7.1 million no-bid contract awarded to Equifax after another attack where their customer support website redirected users to malware. Ouch. In a smart PR move, Equifax’s interim CEO, Paulino do Rego Barros said that following the security breach, its senior leadership will not receive bonuses this year.

A Sophisticated Breed of Modern Criminals

Cybercriminals have moved up the food chain from the lowly hackers we once thought of as a chubby guy in his basement drinking Mountain Dew and staying up all night just to see if he can crack into networks for fun. While Mr. Dew is probably still out there, this new sinister breed of attackers is in it to make cold hard cash – and lots of it. Hackers are now connected, have established criminal gangs, and operate much like a legitimate business white labeling their programs to other gangs to improve their bottom line.

Made famous by the 2016 U.S presidential election, many cybercriminals are not independent business owners, in fact, some of the most powerful groups are “state-sponsored,” or in some part backed by foreign governments. That includes the Russians who are credited with hacking into the Democratic National Committee and the North Korean team, The Lazarus Group, who has been credited with innovative attacks in recent years, including destructive attacks on Sony Pictures in November 2014, the theft of US$81 million from the Bangladesh Bank in 2016, and masterminding the devastating WannaCry virus as a revenue-generating concept.

Learn more about five of the most notorious hacker groups. Knowing your enemy is the number one rule of warfare.

In an ironic twist, the human demand for privacy coupled with the increased security necessary to guard against hackers has left law enforcement facing massive obstacles while investigating cybercrimes. As evidenced in both the Texas church shooter in November of 2017 and the San Bernadino shooter in 2015, the FBI was not able to gain timely access to their iPhone data due to delays with cracking encryption code and privacy issues championed by Apple CEO, Tim Cook. While complicated opinions swirl on both sides of the privacy battle, one thing is clear, lags cause terrible setbacks for criminal investigations.

How to Avoid Being Hacked

The impact of cyber attacks on business nationwide is huge, according to IBM there was an estimated total cost of $450 billion to the global economy in 2016. Believe it or not, some of the most effective protection for your company isn’t some super-pricey sophisticated solution, it’s about adhering to good ‘ole boring IT best practices, preparation, and partnering with cybersecurity IT experts who know what it takes to avoid being hacked.

The Four Favorite Attack Methods of Cybercriminals

Phishing to test the strength of your company’s network and employee vulnerability. This accounts for 67% of malware deliveries. According to security expert, Symantec, one out of every nine email users have encountered malware in 2017. Attempts are typically sent via company emails and fake software update messages in hopes employees will click on links resulting in malware installs.
Malware downloads from websites. Often phishing efforts include links to legit-looking websites, so the employee feels safer downloading than from an email.
Capturing company email addresses and mimicking social media posts to pose as superiors to gain network or system administrator privileges or to blackmail employees. Within accounting teams, a very successful scam has the “CFO” send a late Friday request requesting an emergency wire transfer vendor payment complete with email approval to bypass standard protocol to meet the last-minute request. This child’s play method alone has painfully cost businesses millions each year.
Use of ransomware to encrypt and lock critical shared files or applications demanding a ransom to provide the “decryption key“. This is the fastest growing form of cybercrime accounting for two-thirds of all corporate attacks.

To avoid being hacked and foil their dastardly plans, you’ll need to think like a criminal. What kind of information is hidden within your network that can make them money? High-value data typically includes employee and customer records that include emails, financial accounts, passwords, banking and financial information, or other helpful data to assist with identity theft. Admin access to any internal systems or data is also targeted to interrupt business operations and get access to more information.

Protecting Your Data Against Disaster

Keep your Operating System Current – Ensure OS updates and patches are current for all users. This most basic prevention step plugs holes in software that phishing campaigns are constantly trolling for. Verify your firewall is turned on for all users and regularly monitor traffic patterns.

Validate Anti-Virus and Spyware Software is Installed and Up-To-Date – Verify anti-virus licenses are current and set to install real-time updates, implement spam blockers, and install spyware blocking software on all machines. Implement required scheduled maintenance. This will make it less likely your company will fall prey to workers that ignore repeat desktop update alerts.

Implement a Two-Step User Verification Process – The weakest link in any network security plan are your users and inadequate password practices. Employees often use easy-to-remember passwords or worse, share with their co-workers. In fact, it’s estimated that 75% of employees have shared their password. Start by conducting a current user password strength audit; force the reset of any weak passwords identified. Then, add a second layer which requires users to complete a second verification such as a picture or security question before allowing access to company data. Add an automatic logoff process after a specific time preventing unauthorized access. Also, monitor all user logins and data access records; investigate all discrepancy reports. A bit of extra time now setting all this up could save millions in the future.

Know what Data You Need to Protect and Where it is – Map out where all your high-value data is stored, who has access to it, and where the backups are stored in the unfortunate event of an attack. Even better, encrypt all personal data making it unreadable, and thereby useless, for hackers. An experienced IT managed service provider specializing in total network security can recommend a simple automated encryption process to protect your precious assets from prying eyes.

Back-Up Critical Data Files on a Daily Basis – Perform daily back-ups stored off-line that are in no way connected to shared network files that can be infected by a toxic ransomware worm virus. Even if you encrypt confidential data on your network, it’s still vulnerable to ransomware attacks where criminals lock down shared files extorting companies for huge sums to unlock their own data. Ransomware criminals are less concerned about what’s in your data, as long as they can get to it and lock you out. Engaging a managed IT provider with special skill in backup and recovery is a crucial step in protecting both the assets and customers of your company.

Create a Strong Culture of Employee Cyber Security Vigilance – Your human capital puts your company at the greatest risk. Period. Develop required employee education programs regarding how to avoid being hacked. Cover cybersecurity best practices including malware and how it works, monitoring spyware and its dangers, how to recognize dangerous email links and attachments, how to spot spam, websites to avoid, and education about the types of data hackers are after and why. Just one time won’t do it, so continuous employee updates are the best protection against devious cyber-criminals. Identify security champions throughout your organization responsible for communicating, delivering training, and sharing security alerts with their teams. A strong culture of security vigilance is best developed by multiple leaders sharing a consistent message.

Develop a Recovery and Response Plan for Your Organization – In the event of an attack, speed is critical to reducing your company’s exposure and risk. A recovery plan spells out, if attacked, who is in charge, how to report the incident, shut-down steps to take, and how business continuity procedures are to be executed after the danger has cleared. This plan should be shared with your employees during their training. Backup files won’t help if there is no plan in place to restore operations and knowledge of how long it will take to execute. The response plan is for both employees and customers. Specifically, who will handle external customer communication in the event of a breach and how your company will care for its customers if their confidential information is compromised.

Hire the Best IT Experts You Can Afford – To ensure your company isn’t the next victim, secure a managed IT provider with extensive expertise in total network security, ransomware protection, and backup and disaster recovery solutions. Even if you have a top-notch internal IT team it pays to bring in cybersecurity experts to conduct audits, develop strong protection protocols, and create effective employee training programs. To avoid being hacked, let the experts help your company stay one step ahead of this fast-growing criminal sector.

What to Do if Your Company is Attacked

With even the most meticulous planning, every company will most likely experience some type of cyber attack. Hackers have wormed their way into Equifax and some of the biggest companies in the world including Neiman Marcus, Home Depot, and even tech geniuses, Google and Facebook whose accounting teams were recently scammed into wiring a hacker a total of more than $100 million.

Established in 2006, the FBI developed a little-known entity called the Cyber Action Team (CAT), designed to serve as a rapid response team available for deployment anywhere in the world within 48 hours. Depending on the severity of the attack, the FBI can provide support and assistance to expedite an investigation to reduce the impact on a business and its customers.

The best defense is a good offense. By developing a proactive strategy including daily back-ups, development of a recovery and response plan, training employees and engaging a top-notch managed IT provider versed in cybercrime prevention, your team will be prepared for the day you discover a hacker has paid you an unwelcome visit.