The Equifax Breach Wake-Up Call for Businesses
The epic Equifax breach highlights the urgent need for a system that eliminates central points of attack and protects businesses’ data even when…
September 26, 2017 at 10:01 AM
5 minute read
The original version of this story was published on Law.com
The epic Equifax breach highlights the urgent need for a system that eliminates central points of attack and protects businesses' data even when servers are compromised. So, why doesn't every business assume their server can be hacked and design a system built for that new reality?
You'd expect that Equifax would be at the extreme end of the security spectrum given it is their business to aggregate sensitive data and keep it secure. However, despite the likely millions in annual security budget and hundreds of security analysts, even their system can be compromised.
Randy Battat, cybersecurity expert and founder, President and CEO of PreVeil, recently sat down with Inside Counsel to discuss “waking up” businesses to the reality of their breach vulnerability. From end-to-end encryption of emails, to document storage, to file sharing, PreVeil has cracked the code of how to protect businesses and consumers against breaches.
“Hacking is the new normal,” said Battat. “Although it is certainly shocking to many Americans, to cybersecurity experts the Equifax breach is really just the latest of a rapidly escalating series of high profile hacks and breaches. This year alone has seen many high-profile breaches, with victims including Verizon, Blue Cross Blue Shield/Anthem, Kmart, OneLogin, and a collection of other retail, university, and government institutions. This year also saw huge phishing campaigns targeting Gmail users, which led to the compromise of Google accounts.”
Both the attack surface and volume of sensitive data being stored and shared online is increasing exponentially. As more devices are connected to the internet, the attack targets also increase exponentially—resulting in a rise in threats that IT must protect against. The increasing volume of sensitive data available online creates an incentive for hackers to go after this target-rich environment.
“Reliance on an antiquated security approach to protect data. Higher walls aren't working,” he said. “The historical approach to protecting an organization has been to build taller walls around the perimeter, but hackers are still able to come through. There are new techniques—end-to-end encryption, for example—that can protect data even when the server is breached.”
Servers are high-value targets as servers are frequently used to store an organization's data in a centralized location, which makes them appealing for hackers. A recent report shows that server-related IT systems were responsible for two-thirds of an organization's data loss, compared to about 5 percent for laptops and desktops. Barriers to entry for hackers continue to be diminished as hacking tools are mostly free and the barriers to entry are minimal.
Why doesn't every business assume their server can and will be hacked? They should, according to Battat. In fact, in 2015, more than 80 percent of all businesses reportedly suffered a type of computer hack, and 66 percent of U.S. law firms reported a breach in 2016. Battat said, “Keeping hackers out doesn't seem to be a viable option.”
So, what exactly did Equifax do wrong to let their security be compromised?
Equifax has confirmed that hackers gained entry via an unpatched Apache Struts vulnerability, and given that a fix was available on March 6, 2017 , it seems that poor patching hygiene by Equifax was a contributing factor. However, we still know very little about what the hackers did and how they gained access to the data once they triggered this vulnerability. Data breaches often rely on exploiting multiple aspects of an organization's IT infrastructure, so it is unlikely that the breach was due to a single factor.
Battat shared best practices for companies to protect themselves from breaches like this one. First, protect your data with end-to-end encryption—end-to-end encryption ensures that only the intended recipients can decrypt the encrypted information. This means that in order to read data, hackers must obtain the data and also the keys to decrypt the data. With properly implemented end-to-end encryption, the keys to unlock the data will not be located anywhere near the encrypted data.
Second, stay up-to-date on software patches and updates. Breaches frequently occur when hackers exploit software bugs, many of which are known and listed on the CVE page used to track them. According to a 2015 survey, nearly 80 percent of businesses use open source software—software of the same nature that potentially enabled the Equifax breach. Software vendors are patching their products to fix these bugs and prevent exploits but patching software is like building a higher wall to keep people out—it isn't guaranteed to work.
Third, rather than giving individuals broad permissions, implement policies and technologies that limit accessibility to the bare minimum required. If possible, require group consensus to authorize privileged activities or access sensitive data. The average cost of a data breach is in the millions, with individual records being valued at $380 and $245 for health care and financial services organizations, respectively.
He added, “These values don't even factor in the loss of intellectual property, which may take away long-term competitive advantages. The more businesses are aware of the financial downside, the more they may be willing to adopt the cost of implementing better data protection measures.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllBeyond the Title: Developing a Personal Brand as General Counsel
Step 1 for Successful Negotiators: Believe in Yourself
Deluge of Trump-Leery Government Lawyers Join Job Market, Setting Up Free-for-All for Law Firm, In-House Openings
4 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250