Every so often, a truly important news story breaks into the public consciousness through an information overload that seems more and more obsessed with partisan issues, celebrity news coverage, and YouTube videos gone viral. One of these recent stories involved the unfolding cybersecurity breach at Equifax, one of the three American companies that compile the personal information that determines your credit-worthiness, your ability to obtain a loan, and the interest rate that you will pay for that privilege.
Of course, a legitimate question could be asked regarding what gives Equifax, Transunion and Experian the right to gather hyper-sensitive personal and financial information on every American citizen alive today. We have certainly come a long way from the idealized days of George Bailey and the Bedford Falls Building and Loan, when financial decisions were local and finalized with a handshake. In our modern times, it would seem that the minimum responsibility on the part of credit reporting agencies would be to maintain iron-clad security standards to prevent our personal information from falling into the hands of malevolent third parties.
In the recent Equifax incident, the personal security information of 143,000,000 Americans was compromised. According to the Federal Reserve Bank, there are only about 125,000,000 households in the United States. Without question, you were personally impacted. Essentially, the names, addresses, dates of birth, social security numbers and more for virtually every adult citizen in the United States were compromised. In addition, investigations have disclosed that credit card numbers of 209,000 individuals were hacked, along with personal identification numbers (PINs) for another 182,000 consumers.
According to testimony prepared for a House Energy and Commerce Committee hearing, Equifax CEO Richard Smith admitted that the breach was the result of a failure to apply a software update, despite warnings from the Department of Homeland Security, followed a day later by a warning from the company’s own security team. The company’s policy was to apply such patches within 48 hours, but this failed to happen. The patch was designed to repair the vulnerability in the open source Apache Struts software that the company was using in one of its systems. Even following the company’s internal software policies, hackers would have had three days to exploit that vulnerability – a virtual lifetime in the world of hackers. The Apache Software Foundation had issued a patch for the flaw in March, two months before hackers began accessing sensitive information on Equifax’s servers on May 13. Clearly, Equifax had no excuse for its failure to have taken immediate corrective measures.
This all occurred two years after a similar, but smaller, security breach occurred at Experian, compromising “only” 15,000,000 Americans. What did the credit reporting industry learn over that time? Apparently how to wait months before reporting the incident, while providing an opportunity for three top Equifax executives to unload $1.8 million worth of company stock, after the breach was discovered but prior to its announcement. It also forced Smith to resign, albeit with an over $90 million golden parachute, according to Fortune Magazine.
The impacts of the Equifax security breach upon individuals have been well-documented, including advisories to subscribe to free credit monitoring services, change all of your passwords to unique strings of characters that are more difficult to crack, to pay to freeze reports on your credit (only unfreezing the reports in specific instances, such as when applying for a loan), and to join into one or more of the class action lawsuits against the company. As a small business owner, on the other hand, what measures should you take to ensure that you are safeguarding the information of your customers to the best of your ability? There is no question that international cybercriminals tend to pursue the larger and more lucrative targets; however, every business that conducts business online (not necessarily through its website, but through any Internet-based transactional application) is vulnerable and bears a responsibility for protecting its customers.
The Federal Trade Commission offers a series of five areas of recommendation for how businesses should handle their customers’ personal information.
- The first is an assessment of how your company handles personal information that is gathered from a variety of sources, including credit reports, employment applications, and customer-provided data. How is it delivered to your business, how broadly is it accessed within your company, and how and where is it stored? A particular area of concern is the processing of credit cards. Above all else, cybercriminals are looking for credit card information, social security numbers, and banking information. There is no reason for most businesses to maintain records of that information in any form.
- Stop gathering information that you do not need. With the exception of very specific matters including employee tax accounting, there is no reason to ever ask for anybody’s social security number. Do not maintain records of credit card numbers. Those should only be gathered through a secure point of sale terminal or via a secure online payment gateway, where you do not actually see the number, its expiration date, or the security code. Never ask people to provide that information via email, and discourage the common practice of taking that information over the phone. Because “we’ve always done things this way” is no longer an excuse.
- Keep all physical and electronic records secure. Paper records and backup files should be stored in locked rooms or file cabinets, with limited employee access to a limited number of keys. Electronic files should be encrypted and password-protected. Individual computers should be password protected, put into password-protected sleep or screen saver mode when left unattended, and shut down at the end of each business day. Scan the computers on your network for vulnerable open network services. For example, if a computer is not intended to be used for the sending or receipt of email, the ports for those services should be closed on that computer. Every computer should also be running real-time anti-malware and anti-virus software that includes scans of incoming email messages for malicious content that might be disguised as routine file attachments. Never allow an employee who is untrained in basic security precautions to access and open email messages.
A highly secure password is almost worthless if an employee is allowed to write it down on a Post-It Note, typically attached to his computer monitor. Educate employees (and yourself!) on the importance of password security, use a “password safe” application with a highly secure master password, and lock out users after a limited number of incorrect login attempts on any computer and any online application. Laptops and mobile devices are particularly vulnerable due to their portable nature. They should never be left where they would be even momentarily visible to thieves, and their access to secure information should be carefully limited. Using unsecured Wi-Fi access at airports and other public places is an extremely risky practice.
- Always maintain proper disposal practices. We have all heard the old adage about one man’s trash being another person’s treasure. That was never as true as it is today. Paper records and disposable electronic media containing sensitive data should never go into the trash. These need to be run through cross-cut shredders or incinerated. When disposing of old computers and storage devices, all data must first be removed with a data wiping utility. Simply deleting files leaves them recoverable by a thief. Did you realize that your office copier or fax machine contains a hard drive that stores its data? That data probably includes copies of your tax returns, and that data also needs to be wiped prior to the disposal of any such device.
- Finally, maintain a response plan in the event of a security breach. If a computer is compromised, immediately disconnect it from Internet access, remove it from your network, and then shut it down. Bring in an expert to identify and correct the vulnerability and assess any threats to personal information. If there have been compromises, immediately notify your customers and anyone else who may have been impacted by the breach of security. Do not repeat the Equifax mistake of hiding disclosure for months.
This is a brief summary of what occurred in the recent Equifax security breach, how you should react to that breach, and some of the measures that you should implement to tighten the security standards at your own business. If you would like to learn more, be sure to attend the “10 Steps for Securing Your Digital Identity” seminar that I will be presenting at the Outdoor Hospitality Conference & Expo, in Raleigh, on November 8, 2017.
This post was written by Peter Pelland