Kiersten Todt, Managing Director for the Cyber Readiness Institute, answers a question in light of recent breaches.
Question: The recent breaches at Equifax, HBO, and Anthem, and the WannaCry and Petya malware attacks are epic in scope and their cascading impacts, both to their enterprises, as well as to the broader digital economy, are still being understood. What could have been done to prevent these? How can small and mid-sized businesses learn from these breaches?
Answer: CYBER RISK MANAGEMENT. Every enterprise, regardless size, needs to take a risk management approach to its cybersecurity. As a start, putting basic controls in place is necessary. For example, these enterprises should routinely patch their network, based on those patches that are issued (e.g., WannaCry was a security flaw identified weeks before the breach, for which patches were issued; those affected by WannaCry were enterprises that were not routinely patching and therefore had not installed this patch; in the Anthem breach, data access security controls were lax and attackers gained access to five sets of employee credentials).
Additionally, these enterprises need to identify critical business data and ensure appropriate protections are in place to secure that data, including, at a minimum, managing access to the network through strong authentication. While the investigation is still underway into the Equifax breach, we are learning that part of the vulnerability came from using default passwords and a failure to patch a vulnerability that had been previously identified by US-CERT and about which Equifax had been contacted.
In 2017, there is no excuse for an enterprise of any size to fail to do the basics in cybersecurity risk management - patching, changing passwords, education and awareness on commonly-used threat vectors (i.e., phishing), to name a few.