Cybersecurity is in spotlight this week again, and not in a good way.
In what is probably the worst personal data breach of the decade, hackers gained access to Social Security numbers, birth dates and addresses of 143 million Americans. The target was Equifax, a US credit reporting, which announced the details of the incident on September 7.
The actual hack took place in July and it allowed unauthorized access to credit card information of approximately 209,000 U.S. consumers, as well as to documents with personal identifying information of about 182,000 U.S. Equifax consumers.
The figures are astounding and they certainly raise more than one question about security practices in companies handling sensitive personal and financial information, which should be under heavy compliance regulation. One of the crucial ones was raised by Alex McGeorge, the head of threat intelligence at the security firm Immunity, in a Wired interview.
While the company stating that there is “no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases,” McGeorge asks:
“If 143 million people could be affected and this does not touch your core, where were you keeping this data?”
While the consequences of the Equifax breach could certainly be devastating for the US citizens, this incident is at the same time a warning and a reminder about the threats and consequences of inadequate data protection and reporting practices. McGeorge’s commentary gives an entirely new angle to the whole incident, shifting the focus from end users to data storage best practices.
As the details on how the breach has happened have not been publically disclosed yet, there are only some speculations regarding the ways hackers could have gained the access to the data. This may have happened through a third-party vendor or through company’s internal resources.
So, what are some basic ground rules around security and compliance on the infrastructure-level?
While data security is typically seen from the perspective of end-point practices such as access controls and firewalls, the core protection involves much more than that. According to a VMware research, attackers typically start at the perimeter and work their way into the data center, where about 80% of traffic is estimated to run without protection.
This means that the true security should come from well-rounded approach and understanding the role of infrastructure within the data center, where both hardware-level and software-level protection needs to be deployed. Some of these include state-of-the-art encryption technologies, hardware architecture that follows the highest security standards, fine-grained access controls and authorization policies, as well as advanced DDoS mitigation systems.
Combined with comprehensive problem and incident management systems, as well as continual monitoring for early threat identification and prevention, these technologies can help build a compliance and security platform that meets the needs of companies handling massive amounts of extremely sensitive data as in case of Equifax.
In reality, this is a complex task that requires broad expertise of all components of IT systems. To successfully build a battle-ready infrastructure, companies must work with security experts and ensure their operations are run on platforms that are secure by design.
This is the most effective way to increase the overall level of data security and be able to run a business without fearing the breach.
If there is a silver lining in the Equifax incident, it is the fact that it may have helped raise awareness about the importance of building a secure platform for sensitive workloads and choosing the right infrastructure to support this effort. With the current pace of growth of cybercrime, this issue is only going to become more important for not only compliance industries, but all digital businesses.
At phoenixNAP, we have been working to further our abilities to address issues like this and provide the next generation platform that can support the needs of companies handling sensitive data. In the following months, we will be launching a next generation security platform that relies on the industry’s leading security systems and technologies to provide battle-ready, secure-by-design infrastructure.
If you’re interested in learning more about it, visit this page to find more details and sign up to be among the first ones to know once Data Security Cloud is live.