The Equifax breach is the latest in a string of incidents that highlight the need forbusinesses to fortify their security operations.

Equifax is one of the largest breaches in history, impactingmore than 145.5 million Americans — rendering theirpersonal financial history publicly available — and isexpected to cost Equifax hundreds of millions of dollars.

Related: 5 big cybersecurity lessons to learn from theEquifax data breach

However, like many other recent attacks, it was also easilypreventable — and according to the CEO of Equifax, thecore issue was that the company did not patch a web-server for over 6months.

In a reality of ever-increasing number of threats, one wouldexpect companies to get patching right. But, despite warnings andcontinued incidents, our research shows that many businesses leavecritical assets unpatched for months and years at a time. TakeWannaCry as one example.

While patches for the EternalBlue vulnerability were madereadily available as soon as the NSA exploit was made public,millions of companies were hit by the WannaCry attack in May 2017while still others were hit by NotPetya a few weeks later, andrecently by BadRabbit — all variants on the same patchablevulnerability.

Related: Consumer precautions after the Equifaxcybersecurity breach

Test, detect, remediate, repeat

A good patching program is much more than cranking down on thesecurity team. It starts with making sure all software running onthe organization's IT systems is accounted for (easier said thandone) and that there are tools and configurations that keep thelist accurate. The security team needs to map dependencies betweensoftware and versions, flag legacy/customized systems that may havetrouble updating and figure out how to control and monitor thoserisks. Then, an organization needs to embed tools and procedures tocontrol version updates for all software systems.

To complement these operations, the organization needs tocontinuously test for vulnerabilities. It's a simple principle: Ifan attacker can find your vulnerability, so can you. So:

Test, detect, remediate, repeat.

No company has a perfect system in place or can completelyremove the risk from existing vulnerabilities. They can, however,work with their insurer and underwriter to ensure the biggest risksare being addressed and business losses from potential attacks arereduced.

Related: Cybersecurity, insurance execs see opportunity inEquifax data breach

Insurance carriers have a key role toplay

Carriers take on risk, and therefore have meaningful insightsinto where risks lay in an organization. A carrier does its jobwell when it helps clients avoid loss and not just transfer it.

In such a dynamic risk environment, the insurance policy is justthe start. The carrier and insureds are year-long partners with amutual goal of avoiding loss. Carriers can support clients bycontinuously monitoring and underwriting risk and proactivelyworking with clients to keep them secure throughout the lifetime ofthe policy.

The sad truth about the landmark Equifax breach is that itwasn't an advanced threat; it was simply caused by an unpatchedserver. However, this is also highly encouraging: It is within ourpower to eliminate such events, and dramatically reduce loss tobusinesses, by working together, proactively, to help organizationsbuild better execution capabilities and stay up todate. 

Rotem Iram is CEO of At-Bay (formerlyCyberjack). The opinions expressed here are thewriter's own.

Related:

7 challenges insurers face in the cyber insurancemarket

The changing world of cyber liabilityinsurance