Equifax Data Leak
With potentially 143 million customers and users, Equifax is facing one of the biggest and most challenging data breaches to date. Although, the company states “…the investigation, of unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.” This leads us right back to our discussions on how well you’re managing and monitoring your security program and processes. Not to say you can or should be looking to always point a finger at one technology team or another for breaches, but with today’s demanding pressure on constant 24×7 monitoring and exhaustive security program management oversight, you can’t delay implementing new or putting improvements into your internal and external protective processes and procedures. Security, Risk Management and Business Resiliency need to be considered critical components of your IT core strategy! Senior IT management must have representation and weigh in on strategic business decisions and direction.
So what’s next?
You need to complete, at the very least (if not more frequently), a yearly risk and vulnerability assessment. You need to have a strong patch management and effective desktop management program in place. You need to integrate your business continuity and disaster recovery and restoration processes together. They need to be fully vetted and tested at least once a year and audited (my recommendation is to have these audits done by an external partner or vendor). Audits of systems, applications (and application security methods), infrastructure, security and risk processes and procedures need to be completed every year. Audits results and reports of these areas should not initially go to or report up to the IT or Security management teams or department. For example; your company or organization may have a compliance or regulatory department. Possibly a Chief Compliance Officer (CCO) or even a Chief Risk Officer (CRO). Where the CCO or CRO report directly to the CEO or Board of Directors. In smaller companies or organizations, the audit results and reports should be reviewed by an external partner or vendor possibly.
What you need to do next and how do you get help? Simple, let’s talk. You can contact me at Edward Nadareski or schedule time with one of our expert security analysts at Cloud and Things, Inc. We have a great oversight and security program development and implementation process. We will help you get better at helping you!