By Jeff Lizerbram Solutions Architect, Systems Integration:
When the recent news stories broke out across the nation on the data breach at Equifax, one of three main credit reporting companies (the other two which are Experian and TransUnion), the damage was already done almost 3 months earlier. According to the top news sources, over 143 million people in the United States, Canada and the United Kingdom have had their credit data accessible by hackers as early as May 2017. This data includes Social Security numbers, birth dates, addresses, driver’s license numbers, credit card numbers and other private financial data. One of the major sources of the vulnerability to blame was the main public Equifax website itself, in which there were un-hardened web application security configurations in place.
The cause of the hacking can go even deeper into the organization, where there may have been a lack of a strong IT security policy enforcement. Can this issue happen to any organization? Of course. As a Managed Services Provider, we see instances of incomprehensible amounts of hacking attempts hitting publicly-facing firewalls all the time. And we are constantly learning that our data is at the mercy of the ever-changing best practices in Information Technology security. Can an organization work to prevent such a massive vulnerability? Absolutely, and here’s one way to accomplish this:
From my own experience in working with best-in-class cloud security solutions, there is a strong need for other factors, including human factors, to be in place, in addition to the security solution itself. A great security product protecting a company’s assets is just one small part of preventing attacks. A strong and secure organization should hold an internal policy foundation which includes 3 important pillars: Security, Audibility, and Accountability. For Security, upgrading to the best-in-breed security products will definitely help. And while most security products out in the market include auditing features, quite often the auditing portion is left in a disabled state and not used. It is crucial to enable auditing to view and alert on sensitive data going out as well as coming into the organization. And finally, security and auditing must result in holding those accountable for correcting any configuration issues that have been alerted. All in all, a good organizational IT policy should have a foundation based on these principals to stay ahead of the bad guys.