Cybersecurity – or Lack Thereof – Continues to Haunt Businesses and Individuals
Thomas G. Stephens, Jr., CPA, CITP, CGMA
On September 7, 2017, Equifax announced a cybersecurity data breach that potentially impacted up to 143 million consumers in the United States. From a period of mid-May through July 2017, information such as name, Social Security numbers, birth dates, addresses, and in some cases, driver’s license numbers were compromised. Additionally, credit card numbers for approximately 209,000 consumers and certain other documents containing personal identifying information on approximately 182,000 consumers were also accessed. Additionally, limited information about an undisclosed number of residents of Canada and the United Kingdom was accessed in the breach.
Interestingly, although Equifax discovered the issue in July 2017, company officials elected not to inform consumers until September. This, coupled with some company executives selling Equifax stock during the “dead period”, has led to a firestorm of criticism surrounding the event.
THE CONTINUED NEED FOR IMPROVED ORGANIZATIONAL CONTROLS
The Equifax breach was not the first widespread data breach, nor will it be the last. In fact, although the number of records disclosed was very large – 143 million – it is quite possible that the actual impact on consumers will be relatively small. This is because many of these same records were probably already breached in other high-profile incidents such as those impacting Target, Adobe, Home Depot, Anthem, and others. In fact, some estimates place the total number of records breached in the United States at 5 billion!
Clearly, hackers continue to find holes in organizational security procedures, pointing to the need for ever-increasing data security controls and end-user training. The days of relying on firewalls and antimalware software as our primary security controls are well past us and organizations should currently be engaging in “active” controls such as penetration testing, data monitoring, data loss prevention, and “white hat” attacks to help ensure that the sensitive information entrusted to them does not end up becoming compromised.
SIX STEPS YOU SHOULD CONSIDER TAKING TO MINIMIZE YOUR INDIVIDUAL RISK
To minimize the threat that the Equifax breach – or any other – ends up costing you, there are a number of steps that many experts advise you to take. Among the ones that I think make the most sense include the following.
- Visit www.equifaxsecurity2017.com to Determine if Your Data was Compromised. At this Equifax-sponsored site, you can click on an Am I Impacted? button to determine if Equifax believes that your data may have been compromised.
- Enroll in Identity Theft and/or Credit Monitoring Services. Equifax is providing one year of identity-theft and credit-monitoring services to all U.S. consumers free of charge. This service is known as TrustedID Premier and includes monitoring of your credit reports in all three major credit bureaus, a copy of your Equifax credit report, the ability to lock and unlock your Equifax credit report, identity theft insurance, and Internet scanning for your Social Security number. To enroll, visit www.equifaxsecurity2017.com and complete enrollment process by November 21, 2017.
- Be Vigilant About Not Clicking on Links or Attachments in Emails that Purport to be Related to this Incident. We expect a new round of phishing attacks that will attempt to use this security breach as the ruse to entice consumers to click on links that are related to fraudulent activities.
- Order Copies of Your Credit Reports. Whether you choose to participate in Equifax’s free one-year subscription to TrustedID Premier, you should obtain copies of your credit reports and carefully scrutinize all reported accounts and activities for signs of foul play. Remember, you can order these from each of the three major credit reporting agencies – Equifax, Experian, and TransUnion – once per year at no charge. We recommend that you consider ordering one report from a different provider every four months so that you can stay up-to-date on the status of all your accounts.
- Change All Your Financial Passwords Frequently. It is always wise to change your passwords and other authentication measures frequently. Therefore, if a criminal does somehow gain access to your password, it is possible – if not likely – that it would be outdated, and therefore useless, because you would have already changed it. Additionally, consider using a password management tool such as DashLane, Roboform, or LastPass to help you create and manage your passwords.
- Enable Two-Factor or Multi-Factor Authentication Whenever and Wherever Possible. In addition to using a username/user ID and a password to log-in, with two-factor or multifactor authentication, a code is sent to a device you have in your possession – generally your cell phone – and you also must enter that code to login to your accounts. With this protection enabled, a criminal would have to know your username/user ID and password and also have your cell phone in their possession in order to access your account, a highly unlikely probability.
As indicated previously, the Equifax breach was not the first and it will likely not be the last. And as with virtually all previous breaches, this one demonstrates two things: 1) organizations must do a better job of mitigating the risk of a breach and 2) consumers will still bear the burden of monitoring their own credit reports and identities to ensure that they do not experience financial loss resulting from corporate data breaches. These are two of the realities we must face.
Mr. Stephens is a shareholder in K2 Enterprises, where he develops and presents continuing professional education programs to accounting, financial, and other business professionals across North America. You may contact him at firstname.lastname@example.org.