Take Heed Following the Equifax Breach: Time is Now to Reassess Your Cybersecurity Program
As was widely reported, Equifax experienced a massive cybersecurity breach on September 7, 2017, potentially affecting almost half of all Americans by stealing personal information, including Social Security numbers and pertinent financial information. While the investigation into this breach evolves, it appears the breach could have been avoided. Basic security procedures, such as reviewing the web-based application for known vulnerabilities prior to making it accessible to the public, and patching the application to fix known vulnerabilities, may have prevented personal information from being compromised.
This incident and the overall increased rate of cyber attacks in today’s environment brings heightened awareness to the critical importance of preventing, detecting, and handling security breaches. To avoid the potentially serious consequences of a cybersecurity attack, including financial risk and brand reputation, CohnReznick recommends companies implement the following basic security measures. These best practices should be adhered to consistently and will ensure an immediate action plan is in place should a breach occur:
- Establish a robust patch management program
- Implement strong identification and authentication, including multi-factor
- Ensure strong perimeter security devices and controls
- Have adequate and updated malware and anti-virus
- Provide frequent security awareness and training
- Ensure systems and data are backed up regularly
- Perform periodic vulnerability scans/ penetration testing/security assessments, including scanning source codes prior to migrating changes or new functionality in the IT production environment
- Ensure the company has adequate security incident monitoring mechanisms in place so that incidents can be detected in a timely manner
- Create a robust security incident handling and response plan, including detailed steps on communicating with internal and external stakeholders
- Test the security incident handling and response plan frequently and update the plan as needed to ensure adequate response in the event a security breach does occur
If you are concerned that you may be personally affected by the Equifax breach and to prevent potential misuse of your personal information, the Federal Trade Commission (FTC) recommends taking the following actions immediately:
- Contact the three credit agencies (Experian, TransUnion, and Equifax) and freeze your account. Freezing your account means that potential creditors will be blocked from viewing your credit file and history until you explicitly give permission to the credit agencies to “unfreeze” your account.
- Review recent credit reports to ensure that all information is accurate
- Monitor your tax transcript and look for changes in the address and filing date. Change all passwords to accounts and enable multi-factor authentication where applicable.
If you have already been breached, the Federal Trade Commission (FTC) recommends filing an identity theft report, which can be accessed here. For further information specific to the Equifax data breach, visit this webpage.
For more information about how to protect your organization from potential breaches, please contact CohnReznick’s Advisory Cybersecurity Practice Leaders, Bhavesh Vadhani, Principal, at Bhavesh.firstname.lastname@example.org or 703-847-4418; or Ken Fishkin, Director, at Ken.Fishkin@cohnreznick.com or 973-871-4048.
CohnReznick takes its clients' privacy very seriously and follows the best practices outlined in this communication.
© 2017 CohnReznick LLP
This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.