Icon (Close Menu)


Data Theft: Is Your Business Ready? (Aaron Gamewell Expert Advice)

3 min read


We'd also like to hear yours.
Leave a comment below, tweet to us @ArkBusiness or email us

Think about how much of your customers’ information you keep in your electronic files — Social Security numbers, birth dates, credit or debit card numbers, checking account information. Although most go unreported, data breaches happen daily, and you are liable if your company hasn’t taken the proper steps to protect that data. You may even be liable for the losses of financial institutions or other businesses caused by your failure to protect data. You can bet that anyone who has a loss due to your negligence will be coming to the source of the breach.

The Equifax breach is the largest to date. Millions of Americans are scrambling to know whether they are affected, but only time will tell. The data may sit on the dark web for weeks, months or years until one bad guy purchases a block of data and, voila, an individual’s personal data is used for financial gain. Individually, we will have to be vigilant and use online resources to monitor our financial records daily, report fraudulent activity and close accounts immediately.

Businesses of all sizes also need to take steps. Always, always contract with a professional cybersecurity firm that can audit your systems and practices to make recommendations regardless of the impact to your infrastructure or your IT budget. Below is a list of actions that every business must deploy immediately to mitigate the risk of a data breach:

♦ Patch management. In any data breach, there is value in examining what went wrong. As we learned from the WannaCry ransomware worm, patching our systems is critical. In the Equifax case, it’s possible that an externally facing web application system was not patched, allowing cybercriminals access to sensitive data. Vulnerabilities are detected and exploited by hackers quickly, so, patching cycles need to get shorter so that security gaps are closed in days or weeks, not months.

External web application testing. An annual independent penetration test of externally facing systems has long been a best practice. In this case, such an assessment might have identified a vulnerable web server that was exposed to the internet. In addition to the standard external penetration test, is has become essential to include a web application assessment using special tools that focus on identifying and exploiting vulnerabilities in the actual web application itself.

Vulnerability assessment. You should conduct an independent vulnerability assessment of your network as an added layer of security in detecting missing security updates, insecure or default security settings or other vulnerabilities. A continual vulnerability assessment process is a good practice. VA software is affordable and easily configured to run a weekly or monthly scan of your network.

Asset-based risk assessment. A system like Equifax’s should have been subject to an IT risk assessment to capture the value of the system and the data it stores, transmits, and processes, as well as threats against the asset analyzed and current risk-mitigating controls implemented. This would have allowed for a risk assessment of the system and a comparison against the institution’s risk appetite. If the risk was outside the risk tolerance, then additional security controls could have been added.

Improve vendor management. My company suggests including the credit bureaus in your vendor risk assessment if you are publishing data to the credit bureaus. They may not be a critical vendor, but having customer data would likely mean you are requesting SOC 2 reports and evaluating if adequate controls are in place.

Incident response program. Analyze your institution’s incident response procedures. The incident might not require you to notify your customers, it poses a good question: Should we notify customers as an adviser to help them be prepared for potential fraud and identify theft? Other considerations could include: template notifications, designated public relations person, offering credit monitoring, procedures for incident investigation and forensic resources.

Next steps. If you decide to share information with your customers about a breach, what should you communicate? The process Equifax suggested might not be best for those affected long-term. The good news is there are lots of alternative suggestions to consider.

There will be more and perhaps more devastating breaches than Equifax. Lessons from someone else’s mistakes are some of the cheapest to learn.

Aaron Gamewell is president, CEO and managing partner at SBS CyberSecurity LLC of Little Rock and Madison, South Dakota. Email him at Aaron@sbscyber.com.
Send this to a friend