It feels like we’re hearing about a new cyber breach every day. This month, Equifax announced that the personal data of 143 million customers had been compromised. Hackers took advantage of a flaw in the Apache Struts software that supported Equifax’s online dispute portal. As publications like The Atlantic noted, the public’s response to breaches has shifted from outright rage to annoyed resignation.
This doesn’t decrease the seriousness of the situation. The legitimacy of the information Equifax holds determines whether someone will be approved for a mortgage or receive a competitive rate on a loan. Rohit Chopra, former assistant director of the Consumer Financial Protection Bureau in the U.S. referred to Equifax and its peers Experian and Transunion as “the plumbing of our financial system”.
So if a large and critical institution like Equifax can be hacked, what on earth can small business owners do to protect themselves?
A lot. A breach like this is often the result of ineffective policies, and we keep learning more about Equifax’s failures leading up to theirs. In the meantime, here is what small business owners can learn from the Equifax cyberattack.
Stay on Top of Your Software Updates
Hackers exploited the Apache Struts vulnerability in May. There was a patch available in March – two months before the breach. With revenue of over $3.1 billion in 2016 and the sensitive data of millions of people in its care, Equifax’s security team failed to address a known vulnerability.
What’s more, Equifax didn’t notice the cyber breach until July.
The lesson for business owners is clear: Effective cybersecurity requires proactivity, not passivity. In this case, a simple software update might have prevented Equifax’s fiasco.
You don’t have to be a cyber-genius to keep out cybercriminals. Cybersecurity is an ongoing process. Each time new defenses are built, criminals find ways to circumvent them. The software companies you pay to provide your business’s tools do their part by regularly building new defences. It’s up to you to take implementing these defences (in the form of updates) seriously.
Make Cybersecurity an Organizational Priority
The chief information officer and chief security officer stepped down shortly after Equifax announced the breach. In addition, some reports suggested the executives lacked the technical qualifications for the job. In any case, the missed opportunity to fix a security flaw and subsequent inability to notice the breach for two months indicates the supposed caretakers of consumer data weren’t taking much care of it at all.
Don’t assume you’re too small for a cyber breach. You hold more information than individual consumers, but possess fewer protections than a large enterprise. In other words, your small business is perfect for cybercriminals.
How can small business owners make cybersecurity an organizational priority? In addition to staying on top of software updates, they should:
- Create a cyber security policy: It doesn’t have to be fancy. Educate employees on how to handle data, verify requests from external parties, and hold employees accountable for said policy.
- Educate employees about social engineering tactics: A 2016 study found social engineering is the most popular hacking method. Protect your company from disastrous employee errors by educating your employees on appropriate internet usage on company computers and how to recognize tactics like phishing scams.
- Regularly change passwords: Change passwords frequently and assign unique user IDs to each employee. Immediately revoke access from people who leave the company.
- Enable HTTPS: Protect the sensitive information you collect and transmit by encrypting it.
- Hire appropriately: If your company heavily relies on IT, hire a chief security officer with the technical knowledge to stay on top of threats.
Create a Response Plan for Cyberattacks
Equifax reported the cyber breach to law enforcement and hired a cybersecurity firm which is what it was supposed to do. On the other hand, its approach to giving customers the information they need to protect themselves has been roundly criticized.
Nothing is 100 percent secure, so it’s important to have a cyber attack response plan in place in case a breach occurs. Your plan should include:
- An explanation of where you store what information, so you can quickly assess how much has been compromised
- A list of which individuals are responsible for different elements of the cyber incident response plan
- Steps to take inventory of the damage for investigative, legal, and insurance purposes
- Steps to prevent follow-up cyber attacks
- Steps to detect and eliminate system intruders
- A plan of action for notifying customers, if deemed necessary
A lot of this requires expert advice. In the panicked aftermath of a cyber breach (or during an attack), you don’t have time to research the best cybersecurity firm. Conduct this research in advance to identify firms you can quickly turn to in the event of a breach.
Cover Yourself With a Cybersecurity Insurance Policy
Responding to a cyber breach isn’t cheap or easy. With all of its money and human resources, Equifax still fudged its response with limited information, a frustrating process, and an overloaded call centre. Imagine covering the cost of mitigating the breach, notifying customers, paying for credit monitoring, hiring a lawyer, and more all on a small business budget.
Cybersecurity insurance is no longer a niche policy only some businesses should consider. A cyber breach can devastate your business in much the same way physical damage can. Depending on the policy you choose, cyber insurance covers:
- A cybersecurity firm/expert
- Customer notifications
- Credit monitoring
- Legal fees
- Regulatory fines
- Business interruption
- A PR firm for damage control
Perhaps the biggest lesson of all from the Equifax breach is not to be complacent. All the money in the world won’t protect you if you don’t take cybersecurity seriously. Small business owners should do as much as they can to arm themselves against cyber threats and prepare their company for the possibility of responding to one.