Under normal circumstances, the Equifax hack scandal would normally be a top story for weeks. The company is benefiting from a glut of other chaotic news superseding it in the headlines, but let’s not forget that Equifax’s lax security practices allowed the personal data of about 44% of the US population to be compromised. What’s worse, that data is some of our most sensitive: driver’s license numbers, past addresses, credit card numbers, and of course Social Security numbers. And then, even worse, we weren’t ever given a chance to opt out of Equifax’s data-gathering (and selling) service, and we’re not going to be given one now. AND the CEO is “retiring” in the face of this scandal, to take home a pension of over $90 million. AND Equifax accidentally sent consumers to a fake phishing site for two weeks.
In the absence of any other silver linings, at least this is a teachable moment.
Update, Update, Update
Equifax’s data breach occurred through a known vulnerability in their Apache Struts based web application. They were aware of a method to patch it, but they ignored it. Don’t be like Equifax. When updates are available, do them. This goes for your desktop computer, your phone, your applications (like Word or Excel), your phone apps, and even your website. Check with your IT company to ensure that you are running the latest version of your web software, especially if it’s WordPress. (If you have a Wix, Weebly, Squarespace website, you’re in luck—these companies keep up with security on your behalf.)
Why make it easy for hackers?
Take Preventative Measures
Equifax has a long history of security failures, but they never adequately adjusted their course for prevention. Updates are one preventative measure, but don’t stop there. Every business environment is different, and it’s worth investing in a third-party security consultant to evaluate your potential security holes. (Yes, we do offer that service.) A security plan should also include spyware and virus protection, backups, firewall security, and an outline of best practices for your employees. Best practices should cover choosing and using secure email passwords, apps that can and cannot be used for internal communications, how to treat internal documents, what programs can and cannot be downloaded, and much more.
Have a Disaster Recovery Plan
When disaster struck Equifax, they responded by doing nothing until they had to. Then they directed potential hacking victims to the website equifaxsecurity2017.com (instead of a more trustworthy site hosted on their own domain like security.equifax.com) that acted buggy and looked slapdash. If Equifax had a disaster recovery plan, it was a poor one.
Do you know what you would do if your company became a victim of a ransomware attack? You and your employees should be prepared to contact IT support immediately and send out a companywide notice of the attack. The computer where the ransomware attack should be turned off and disconnected from all networks. If you’ve got a preventative security plan, you should be able to rely on your backup systems (see above) to get up and running again.
Let Your Customers Know What’s Up
Equifax executives knew about the breach in July, but the public wasn’t notified until September. That means there were weeks in which hackers could use that data before consumers had a chance to put a freeze on their accounts.
Why would anyone ever trust Equifax again? And why would your company want to put itself in a similar position, ever? There’s an adage for email that says, “Never send out an email you wouldn’t want published on the first page of The New York Times.” And really, with so much transparency in our work environments, it’s just not worth it to try to hide it.
