The massive exfiltration of data from Equifax—Social Security numbers and more vital information on perhaps 143 million persons—serves a chilling notice.
If one of the three big U.S. credit reporting agencies can be successfully hacked, then any company storing personally identifiable information can pretty much assume the worst about its own vulnerability.
But as always in cyber defense, resources are limited and information security officers need to prioritize. The only clue Equifax offered about the nature of the attack was that it "exploited a U.S. website application vulnerability to gain access to certain files." Not much help.
So we’re offering five articles that should help you think through your own cybersecurity review, balancing effort vs benefit.
5 Questions Boards Should Ask about Cybersecurity
“How Good Is Our Cyber Risk Visibility?”
“How Well Do Personnel Understand What’s Expected of Them?”
In this post, RiskLens founder Jack Jones, suggests the simple but penetrating questions organizations need to face well before a data breach crisis. “Executive management can learn to identify and focus on the strategic and systemic sources of cyber risk, without becoming distracted by complex technology-related symptoms,” Jack writes.
How to Spot Data Breaches in Audit Trails [FAIR Institute Blog]
Equifax said that its system was first penetrated in May, 2017, but the breach wasn’t discovered till late July. Jack Jones writes that “typical access logs will rarely be able to definitively tell us that a breach has occurred” but he has some tips for combing through logs for clues.
Case Study: How to Evaluate Audit Findings
To patch or not to patch…When a manufacturing company fell behind on patching, the audit recommendation was to double up on patch efforts. The IT department argued that the return on investment just wasn’t there. The RiskLens application settled the debate with a quantifiable before/after risk analysis.