It’s important that we learn from mistakes like data breaches. Whether it’s our own, or someone else’s, each mistake serves as a valuable lesson. In IT, these issues can be disastrous. As a result, it’s vital not to repeat these errors.
In a short series of blog posts, we’ll be discussing some major failure examples as well as the information we can glean from these events. We’ll examine what happened. By doing so, you’ll learn how you can ensure you don’t follow in their footsteps.
Cases of Avoidable Data Breaches We Can Learn From
Over 75% of businesses were a victim of phishing attacks in the last year, highlighting how dangerously common they are.
Part I – How Operational IT Failure Crippled Equifax
Most recently, Equifax suffered a massive breach that could impact millions of people. Today, we’ll be examining this event and learn what kinds of operational failures caused this event to occur and what security lessons we can learn.
What Caused The Breach?
Equifax claimed that the data breach was due to a vulnerability in the open-source Java web development tool known as Apache Struts. However, while vulnerabilities did exist in the platform, they were quickly patched. It’s possible that this was caused due to a slow patching process by Equifax, allowing the vulnerability to remain unsolved.
It’s also possible that the data breach was caused by a zero-day event. Zero-day is a term that’s been derived from how long a vulnerability has been known, and therefore how long vendors and programmers have had to solve the issue. In this case, zero-day vulnerabilities mean that no one previously knew about the issue, so no solution could possibly be implemented. These vulnerabilities are highly valued by malicious hackers, governments, and the company that developed the software in question. While it’s possible that a zero-day was at fault here, it’s highly unlikely that this was the case.
If, as Equifax claims, the vulnerability was created due to Apache Struts, then this is still no excuse. Any single vulnerability in a web program should be safeguarded by rigorous security controls throughout the program, to ensure that this couldn’t happen, especially for a company that handles such sensitive information.
Most likely, this data breach was caused by negligence on Equifax’s part. They didn’t apply nearly enough security levels throughout the business, lacked operational procedures to help identify and mitigate attacks, and didn’t have enough basic IT protocol to protect their customers.
How Did These Mistakes Occur?
It’s easy to think that the cybersecurity data breaches we hear about won’t happen to you, but that’s an extremely dangerous assumption to make, especially for organizations who handle vital information, such as Equifax.
This is especially true as there’s a 27% chance that any given business will experience a breach within the next two years. It’s important to remember that you’re always vulnerable to breaches, and should pursue more and better security solutions to make yourself a less attractive target and help defend your business should an attack occur.
Clearly, this is what Equifax didn’t do. They couldn’t be bothered to patch their Apache Struts program for over two months since the vulnerability was discovered. For an organization that handles financial information, this is a dangerous amount of negligence. Given that, it’s not surprising to learn that they’ve been notified of a cross-site scripting vulnerability since 2016. This demonstrates a sadly common lack of commitment to maintaining tight security measures throughout all levels of a business.
An attitude towards security like this isn’t caused by just one, or even a few people. It’s a problem that starts at the top and permeates throughout the business. Likely, many IT staff felt the existing security measures weren’t adequate but the culture dissuaded them from speaking out. For these businesses, security costs are seen as a burden to minimize, not as a protection to maximize.
Nervous About Internal Security Protocols?
Let Our Experts Take a Look
How Expensive Are Such Breaches?
Large-scale data breaches like the one suffered by Equifax result in many costs.
There’s the cost of downtime, which can be incredibly expensive. It can vary wildly from industry to industry and from business to business, but almost every major business reports that each hour of downtime costs at least $100,000.
For heavily technology reliant sectors like finance, these downtimes can cost millions per minute. Large scale data breaches result in many hours of downtime, causing huge amounts of lost productivity and therefore massive costs and losses in revenues.
While downtime is a significant portion of the costs of a data breach, there are also potential litigation costs to consider. If the breach is significant enough, and it’s determined to be the fault of the business, then legal action may be undertaken by customers. It’s impossible to say how much this may cost you, but these expenses are almost always significant and require significant time and resources to combat.
Far more nebulous to determine is the brand damage businesses suffer from a data breach. Your consumers will invariably lose faith in your business, which can seriously impact your future business operations well after the breach has been solved and damages paid.
Because of the various sources of expenses, the impact that data breaches of this magnitude have is difficult to measure. While you may not know exactly how much you’ll suffer, one thing is clear; you cannot afford to be put in this situation.
How Can I Protect My Business From Operational IT Failure?
Now that you understand the consequences of not being protected, there are many different solutions available that can help enhance your security.
One of the most popular solutions to enhance security is to use comprehensive software asset management services. This kind of IT software solution can help you choose the software you need and help you manage each tool to ensure maximum efficiency.
Another great service that your business can benefit from is end-to-end security solutions. These IT security software and hardware services help to enhance your security with powerful tools.
Part II – Phishing Scam Costs MacEwan University $12M
In late August, MacEwan University was hit by an $11.8M phishing scam. In today’s entry into cases when IT fails, we’ll examine how this happened and how you can help prevent it from happening to you.
How Did The Scam Occur?
A series of phishing emails claiming to be from one of the university’s vendors convinced three low-level staff to alter banking information.
Clark Builders, the vendor which the fraudsters impersonated, had been working closely with the university for over a decade, and has been involved in several major projects with the university in the past, including the consolidation of their various campuses.
Clearly, the two have had a long working relationship.
The fraudsters carefully copied the official brand guidelines, logo, and any information that would be in a legitimate Clark Builders email. They used this to convince staff at the university that Clark had changed some of their critical financial information, and updates needed to be made to ensure proper payment could be processed.
The three low-level staff failed to separately contact or verify that the emails were legitimate with the vendor or any of the senior employees before proceeding, allowing the fraudsters to succeed in their phishing attempt.
Once updated, three separate payments were made to the fraudsters. The first payment was made on August 10th, for $1.9M. On August 17th,the second payment went through for $22,000. The last payment, made on August 19th, was for the remainder, amounting to $9.9M. The issue was only found after Clark Builders reached out to the university asking why it hadn’t been paid.
Ultimately, the scam was a success, not because of the cleverness of the phishing attempt, but because of human error and a lack of proper controls.
Don’t Leave IT Security to Chance
Speak With an Outsourcing Expert
How Could It Have Been Prevented?
There are two ways that MacEwan could have successfully protected themselves against this data breach attempt. The first and most important factor was to properly train staff to be aware of the methods used by fraudsters to mislead their victims. They should have been trained to be careful when dealing with any form of external email — especially one with attachments or links.
Independent verification should have taken place before any requested changes were made to vital systems, in order to ensure that the source of the request is legitimate.
Employees ought to have been trained to never click any links or download files that aren’t from completely trusted, and verified sources. This is especially important as 30% of all phishing emails get opened.
Many people are ignorant or dismissive of the danger that their negligence can create. As a result, you need to evaluate your employees existing knowledge and diligence, and then plan a training program that addresses any shortcomings. Even a strongly worded memo can go a long way to raise awareness.
There’s also the matter of dealing with problem staff. Whether out of willful neglect or unconscious complacency, problem employees could bypass procedures and reduce the effectiveness of your protection against phishing. The best way to handle these cases is to ensure incentivization is in place so that proper completion of procedures is maintained. In addition, designate specific roles who are responsible for monitoring these initiatives.
The second way that you can reduce the possibility of a successful phishing attack is by implementing proper controls. For instance, in the case of MacEwan, if procedures had been set out that require key personnel from each party confirm that a significant change was requested before completing or reentering of confidential payment information, then this issue wouldn’t have happened.
Unfortunately, neither method is practical for many smaller or medium sized businesses who either lack the IT expertise or resources to ensure thorough training and procedures are implemented. Unfortunately, this may be the right condition for an accident waiting to happen.
Protect your Business from Phishing
Because most organizations lack the expertise to handle this themselves, it makes sense to hire IT consultants who can help you identify areas of weakness in your business. Services like this gives your business the benefit of a fresh perspective that has proven effectiveness.
In our next, and final entry into this series, we’ll examine key takeaways from each of our previous entries that you need to know to ensure your IT doesn’t fail you.
Today, we’ll discuss each of the major insights we’ve gained from this series, and how you can integrate them into your business.
Part III – Insights and Moving Forward
Equifax’s Failure to Implement Security
In our first entry, we learned how Equifax failed to address a security flaw in one of its systems, resulting in millions of people’s financial information being exposed. The data breach it suffered was caused by negligence as they hadn’t implemented nearly enough security controls to ensure that the sensitive information they housed was safe.
Equifax failed to pursue the minimum security standards required when handling sensitive financial information. They didn’t bother to patch Apache Struts, the program in which the vulnerability was concealed. Two months had passed since the vulnerability was discovered when the breach occurred, so they had ample time to patch the software.
Ultimately, this vulnerability wasn’t fixed because of an organization-wide negative attitude towards the value of security. If this wasn’t the case, then the issue, once discovered, would have been fixed immediately. They saw security and IT as a cost that they had to endure, and therefore minimize, instead of a source of protection to maximize.
How Can You Prevent Yourself From Being The Next Equifax?
The consequences of a data breach like this are severe. It’s likely that, if Equifax survives this debacle, they will never be as trusted and successful as they once were.
If your business has a culture that promotes the importance of security, along with the expertise needed to ensure it’s properly implemented, then you likely already have the solutions you need to be a tough target for malicious hackers. However, if, like most organizations, this isn’t the case, then you need services and experts who can protect you from software vulnerabilities. Software asset management solutions can help you keep your business from suffering the way Equifax did.
Thinking of Migrating to New Software?
Read our Guide for a Smooth Transition
MacEwan University’s Embarrassing $12M Phishing Scam
One of the university’s vendors, Clark Builders, was impersonated in a series of phishing emails. The emails, which closely approximated standard Clark Builder’s email branding, convinced staff that Clark’s payment information needed to be updated. Once that was done, three separate payments were made to the updated information.
The three payments, $1.9M on August 10th, $22,000 on August 17th, and the last for $9.9M on August 19th, were made to the fraudsters before Clark Builders called and asked why they hadn’t been paid yet. Only then did the school become aware that they’d been fooled.
The scam was a success, not because the fraudsters were uniquely clever, but because there was a distinct lack of proper controls in place to validate significant changes before following through on them.
How Can You Learn From MacEwan’s Embarrassment?
There are two ways you can prevent yourself from being a victim, the way that MacEwan University was. The first is to focus on training your staff so that they can distinguish between a phishing attempt and a legitimate email. While this isn’t foolproof, it can significantly reduce the number of bad links and lazy phishing attempts that you’ll need to worry about.
The second way you can protect your business is by implementing strict controls about changes requested, to ensure that anything significant, like the changes requested by the fraudsters, are verified by both parties.
If you’re lost as to how to implement these protections, contact well known IT consultants. They’ll be able to identify areas of weakness in your security and recommend solutions that can keep you safe from fraudsters and malware.
Why Managed IT Services Are The Perfect Solution
The trend in all these cases is clear: You need to be protected. Whether it’s data breaches caused by negligence, a phishing scam that exposes a lack of controls, or a disaster, you cannot assume you’re safe. Even now, businesses around the world are suffering from a lack of protection.
In all of these cases, managed IT is a great solution that’s already being widely used. In fact, nearly 70% of all small businesses already use some form of managed IT solution. These businesses see that they can’t match the technical expertise of these companies for such a low cost. If they didn’t, they’d need to hire an in-house IT solution, but this is costly and less effective, as you’re limited to one individual who may get sick or seek other work instead of leveraging the expertise of a whole team who can cover gaps.
Even for companies that have a lot of technical expertise, managed IT makes sense. That’s because your staff can be more productive when they don’t have to worry about putting out IT-related fires.
Most of all, managed IT services can help protect you from the situations each of the previously mentioned cases suffered from. A competent managed IT services company will ensure that your software is up-to-date and protected, helping to prevent breaches like the one that Equifax suffered from. They’ll also be able to provide complete protection against phishing attempts as well as consult on training to ensure you avoid falling for phishing schemes.
It’s vital that you work with a trusted managed IT services provider, so you can focus on other areas of your business while remaining completely protected. Contact PCM when you decide to ensure the safety of your business.
Jittery About a Data Breach?
Let Us Protect Your Assets