This article is posted with permission from VC3's blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. VC3 is solely responsible for the article’s content.
Equifax is a multi-billion-dollar Fortune 1000 company that just experienced one of the biggest data breaches in history. This data breach potentially affects nearly all American adults. Media publications, Congress, and the public are currently in angry attack mode.
If you’re a small- or medium-sized city (or even a larger city), it may seem like there’s nothing much to be learned when comparing yourself to such a giant company like Equifax. Yet, there are three important lessons you can learn from the Equifax data breach that makes this a good time to review your current cybersecurity efforts.
1. The Equifax data breach stemmed from the company failing to patch software. What is your patch management strategy?
You know the story of David and Goliath. That’s how Equifax got taken down. Despite its size and revenue, hackers found one small security vulnerability in software that Equifax failed to patch—even though the vulnerability was well-known in the security community. The result? Hackers stole the PII (personally identifiable information) of 143 million people.
According to Ars Technica, hackers exploited “a Web application vulnerability that had been patched more than two months earlier. [...] [The company’s] disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof that the bug gave real-world attackers an easy way to take control of sensitive sites.”
Similarly, a lack of patch management became the reason why so many organizations were affected by the WannaCry ransomware virus earlier this year. Unfortunately, many cities still don’t proactively apply patches to software and systems. By failing to patch, cities are inviting a data breach with wide open arms.
We’ve written a lot about patch management in the past, but a few reminders include:
- Creating a policy and procedures that require proactive patch management on a regular schedule.
- Relying on IT professionals to oversee patch management. Non-technical employees may get distracted and/or apply patches incorrectly.
- Applying patches to all machines regardless of location. This includes patching remote machines (such as servers hosted someplace other than your city buildings) and devices (such as laptops and smartphones that employees use at home or while traveling).
2. The Equifax data breach showed a stunning lack of responsibility at a fundamental level to protect people’s personal, sensitive information. Do you see the safekeeping of citizen data as a critical responsibility?
What makes people especially angry about the Equifax data breach is that we have no choice about Equifax acquiring and using some of our most personal data. They are not a typical services company where we opt in to share our personal information. Equifax collects our information whether we like it or not.
Yet, Equifax failed as stewards.
According to Forbes, Equifax had a history of shoddy security practices that led to lawsuits, issues with PINs, security vulnerabilities, and smaller data breaches. Think about it. Equifax had not only a business incentive but also a responsibility to protect our data. Congress is now voicing that they will be looking at this situation.
Now, think about your city. It’s not a business where customers voluntarily offer up their personal information. They have no choice about you stewarding their personal, sensitive information or records that impact their families, properties, communities, or schools. Are you properly protecting and securing this data that you manage on behalf of your citizens?
Some signs that you are failing at your stewardship include:
- Unpatched software
- Old technology (especially more than 5 years old)
- Unsupported software
- Lack of data backup and disaster recovery
- Reactive IT support
- Lack of or poorly managed antivirus software
- Poor passwords and user authorization procedures
- Uncertainty around where your website is hosted
3. With more scrutiny and awareness about cybersecurity, the law becomes stricter. Are you following (or are you ready to follow) cybersecurity laws, regulations, policies, and government cybersecurity best practices?
2017 has been one of the most active Congressional sessions with passed and proposed cybersecurity legislation. For example, the
Modernizing Government Technology (MGT) Act would require government agencies to follow basic IT best practices—known as cyber hygiene—to prevent cybersecurity attacks. At the state level, a good example is
Arkansas’s SB138 that says cities can lose their charter if they do not comply with IT-related accounting practices.
Additionally,
we’ve noted that poor cybersecurity may also affect your ability to borrow money. If you’re negligent about your cybersecurity, then your municipal bond rating that financial institutions and insurance firms use as part of their calculations will likely take a big hit in the future. Borrowing money is essential for city operations, and failing to take basic cybersecurity steps may affect your city’s finances in the future.
If there is one overarching lesson from Equifax, it’s that cybersecurity is just becoming too big to ignore. For many years, cities and other organizations have pled technology ignorance, lack of budget, or that they had no need for proactive technology support. Those times are over.
Equifax failed in their stewardship, and time will show the impact to both Equifax as an organization and to the millions of people whose data they failed to protect. Individuals and families may now fall victim to identity theft. Your city must not fail in its stewardship of citizen information that includes both personal identifiable information as well as city records used to conduct city business for the benefit of the entire community. Your citizens trust you with their information. Can you truthfully say to them that you are protecting their information to the best of your ability?