The Equifax breach is the latest in a string of incidents that highlight the need for businesses to fortify their security operations.
Equifax is one of the largest breaches in history, impacting more than 145.5 million Americans — rendering their personal financial history publicly available — and is expected to cost Equifax hundreds of millions of dollars.
However, like many other recent attacks, it was also easily preventable — and according to the CEO of Equifax, the core issue was that the company did not patch a web-server for over 6 months.
In a reality of ever-increasing number of threats, one would expect companies to get patching right. But, despite warnings and continued incidents, our research shows that many businesses leave critical assets unpatched for months and years at a time. Take WannaCry as one example.
While patches for the EternalBlue vulnerability were made readily available as soon as the NSA exploit was made public, millions of companies were hit by the WannaCry attack in May 2017 while still others were hit by NotPetya a few weeks later, and recently by BadRabbit — all variants on the same patchable vulnerability.
Test, detect, remediate, repeat
A good patching program is much more than cranking down on the security team. It starts with making sure all software running on the organization’s IT systems is accounted for (easier said than done) and that there are tools and configurations that keep the list accurate. The security team needs to map dependencies between software and versions, flag legacy/customized systems that may have trouble updating and figure out how to control and monitor those risks. Then, an organization needs to embed tools and procedures to control version updates for all software systems.
To complement these operations, the organization needs to continuously test for vulnerabilities. It’s a simple principle: If an attacker can find your vulnerability, so can you. So:
Test, detect, remediate, repeat.
No company has a perfect system in place or can completely remove the risk from existing vulnerabilities. They can, however, work with their insurer and underwriter to ensure the biggest risks are being addressed and business losses from potential attacks are reduced.
Insurance carriers have a key role to play
Carriers take on risk, and therefore have meaningful insights into where risks lay in an organization. A carrier does its job well when it helps clients avoid loss and not just transfer it.
In such a dynamic risk environment, the insurance policy is just the start. The carrier and insureds are year-long partners with a mutual goal of avoiding loss. Carriers can support clients by continuously monitoring and underwriting risk and proactively working with clients to keep them secure throughout the lifetime of the policy.
The sad truth about the landmark Equifax breach is that it wasn’t an advanced threat; it was simply caused by an unpatched server. However, this is also highly encouraging: It is within our power to eliminate such events, and dramatically reduce loss to businesses, by working together, proactively, to help organizations build better execution capabilities and stay up to date.
Rotem Iram is CEO of At-Bay (formerly Cyberjack). The opinions expressed here are the writer's own.