If you’ve picked up a newspaper recently or seen the buzz on social media, you’ll know that Equifax has had its name dragged through the mud as a result of their recent cyber-attack (see my previous article for more details).
From top executives being forced to resign effective immediately to lawsuits brought forward by consumers asking for hundreds of billions in compensation, the aftermath of the hack has been an absolute legal and political nightmare for the American credit clearing firm.
For consumers, the hack has been devastating. Just under half of America’s population was directly affected by the breach, making this attack one of the largest in American corporate history. Hundreds of millions of Americans have had their lives turned upside down as a result and will be living with the consequences of the hack for many years to come. This isn’t over – not by a long shot.
Here in the United Kingdom, the BBC confirmed last week that 400,000 British citizens had had their personal information compromised as a result of the Equifax hack. And though the information that was stolen was not as sensitive as that of American citizens (‘only’ names, dates of birth, email addresses and telephone numbers were stolen, not addresses, passwords or financial data) it is still enough to give those affected great cause for concern.
It’s only natural that a cyber-attack of this magnitude would result in a great deal of resentment among the public, regardless of whether you were affected or not. We as consumers put our trust (as well as our money and data) into these firms. We expect institutions like banks, health care services, credit clearing firms, etc. to take every precaution imaginable to ensure our data is stored as securely as possible. And when one of them falls victim to such an attack, it’s only natural that we question the validity of all the others: if mastermind hackers can get into one of America’s largest credit clearing firms, then who, if anyone, could be safe from such evil geniuses?
Unfortunately, an even scarier revelation came to light last week. The cyber-attack on Equifax had no Ocean’s Eleven-like complexity to it, no Lisbeth Salander or David Lightman type genii involved. In fact, probably the most unbelievable aspect of this whole fiasco; more than its size, more than the 30 and counting lawsuits, more than the years of hardship those affected by it will have to live with, is the fact that the whole attack was unambiguously and quite easily preventable – and they knew it.
The hackers, who attacked Equifax through a vulnerability in their Apache Struts web application (a widely used, open source, MVC framework for creating Java web applications), did so in mid-May, two months after Apache Struts had created a patch for the vulnerability. As Lily Hay Newman put it in her article for Wired, “In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn’t.”
At first glance, this may come as an absolute shock to anyone reading it. How, you ask, could Equifax let something like this happen? If a vulnerability or bug was found in their system why would they not have resolved it the second a fix become available?
Well, the truth is, attacks like this happen all the time. In my previous article on hacking, I referenced a hack here in the U.K. where the NHS was hit with a ransomware virus that affected health centres all across the country. Why did this attack happen in the first place? Like in the case of Equifax, the NHS was using software that was out-of-date.
And it’s not just me saying it. A report by the National Crime Agency titled, The cyber threat to UK businesses 2016/2017, explicitly points out that the most commonly exploited vulnerabilities by hackers could have been prevented. Why? Well, call me a broken record, but more often than not (as the report states) it’s either due to a patch already being available and a business failing to implement it at all or implementing it too late as a result of them having bad security processes in place.
Here at Advantage, we see this happen dozens of times. Businesses will come to us and say they’ve been compromised – either through a phishing scam or a corrupt site – we will then conduct a security audit to assess the extent of the damage; review what security is already in place and look at all possible points of entry (Firewall, email, EndPoints, Gateway, Wi-Fi, mobile devices etc.), and when it comes time to give our assessment, business owners and IT managers are shocked to learn that the reason they got hacked was because they were either running on old technology, or their IT manager/ current IT Managed Services provider failed to recommend or highlight to them an obviously exposed vulnerability that had a very simple and readily available patch. As Christo van Zyl, IT Managed Services Director at Advantage told me when I was researching this piece, 'It's actually pretty awful to have to sit there and tell a business owner they've spent thousands, if not millions of pounds and compromised their own integrity and the trust of their customers simply because they didn't have the right email security software, or they were operating on an old version of a piece of software that had a highly-publicised flaw. People come in here expecting to be told their hack is different, that it's something no one has ever seen or thought of before.'
By far the worst though, Christo went on to explain, is when a customer comes back in after we’ve done the security audit and we’ve recommended them the software or investment they need to make in order to avoid certain types of attacks, but for one reason or another they’ve decided to ignore our advice. 'That's when it really breaks your heart. You never want to have to tell a customer or a client, 'I told you so.''
The recent Equifax hack is a big lesson all businesses need to learn - you've been told! These 'silly little mistakes’ or oversights can lead to a whole world of trouble, not just for your business, but for those people you’re supposedly there to support: your customers. Hacking is a reality every business and individual alike has to acknowledge. Cyber-attacks are on the rise and they are targeting small and medium-sized businesses with as much tenacity and regularity as they are multinational corporations. Nobody is too big or too small to fail. And while nobody can promise you that you won’t be attacked, there are, without a doubt, a multitude of preventative measures you can take to ensure the risk of exposure to your business is as low as it can be. As a rule of thumb follow these steps:
- Conduct regular security audits: we recommend at least once a year.
- Make sure your staff are regularly trained and up-to-date with security best-practice processes
- Be realistic about your IT team’s capacity and expertise. This is particularly salient for small businesses who often don’t have the resources to have more than one person looking after the whole IT infrastructure
- Following on from three, if you’re a small or medium-sized business, invest in an IT Managed Services firm. It doesn’t have to be us (though we’d obviously love it if it were), having a dedicated partner who is constantly up-to-date and lives and breathes security, day in and day out, is one of the soundest investments your business can make.
- Listen to the experts and don’t delay. When a new update becomes available or a programme has been discontinued act quickly. Nothing is worse than having a terrible case of “I told you so.”
If you would like to find out more about Advantage's Security Audits or would like more information on how we can help your business talk to us today.
Words by Camilo Lascano Tribin