As Equifax continues to deal with the fallout from the massive hack on their databases involving citizens of three nations, much is already being written as to where the company’s mistakes were made and what can be learned from its errors.
Writing for CSO Online, Bil Harmer, strategist at Zscaler, suggests three key items for consideration by other companies:
- Management of Risk: While a patch was available that could have blocked or halted the hack, decisions were made against applying it. The exact reasons are unclear, but possible causes include the risk of downtime or system reintegration after the patch update. The costs of these downtimes are important, but need to be balanced against the costs of breaches.
- Failure of Process: Equifax has also been scrutinized for several executives selling stock between the internal identification of the breach and public notification of the breach, raising questions as to whether the executives were notified and sold their stock regardless, or whether the breach escalation process failed to notify them.
- Understanding of Motive: At this point, the motives behind the hackers remain unclear, with questions remaining as to whether money was the primary motivator, or an attempt to destabilize the company and trust within the credit bureaus.
Writing for the Economic Times, Avinash Prasad, vice president of managed security services for Tata Communications, offers some additional observations as to how companies can protect themselves from similar attacks. Emphasizing responsiveness, Prasad speaks of the need to establish a robust vulnerability management process, and to ensure patches are both rapidly rolled out and tracked across all devices. Additionally, recommendations are made regarding regular auditing of firewalls and IPS configurations, as well as establishing multiple levels of security, so as to help limit the scope of any breaches that may happen. Continuous testing is also encouraged, to identify any potential gaps or weaknesses.
While no company will be immune to outside hacks, by considering the mistakes made by Equifax, risk can be reduced.
Sources:
