The world has experienced an increase in cybersecurity challenges as organizations become increasingly networked. Public and private sector organizations rely on computers and the internet for various operations, placing them at the risk of attacks perpetrated using the same networks. The ever-developing technology and related global cybersecurity threats have created serious concerns about the safety of data stored in the information systems or transferred through the internet. In recent years, information security professionals have faced serious threats and attacks in various organizations. One of the most publicized attacks on information systems is the Equifax data breach in 2017 on a credit rating agency (Bernard, Hsu, Perlroth, & Lieber, 2017). Although the organization’s management realized the situation when it was too late, the security threat could have been mitigated by identifying and correcting vulnerability on the website application system.
Summary of the Incident
Equifax is a global consumer credit reporting agency. The organization maintains vast databases of information on more than 800 million consumers globally. Besides the data on individuals, the agency keeps records of over 88 million businesses internationally. In 2017, the agency experienced a significant information security attack, risking access to the vast information in its information systems (Bernard, Hsu, Perlroth, & Lieber, 2017). The attack is considered one of the risks on private and confidential information. The agency, operating from Atlanta, is mainly an appealing target for hackers due to the vast amount of data stored in its systems. The attack was perpetrated using vulnerabilities in the U.S. website application to gain access to the target files.
Discussion of Risks
Many companies at risk of cyber attackers usually have vast information on individuals and organizations. For example, the global consumer credit reporting agency was targeted because the attackers were guaranteed to get crucial and sensitive information on consumers and businesses. As a result of the attack, personal information of around 143 million individuals was accessed (Bernard, Hsu, Perlroth, & Lieber, 2017). Identity thieves and malicious users of the information would use the identifying information for any reason after access. Besides the risk of retrieval of the data, the agency faced the risk of losing credibility (Solove & Citron, 2017). The agency’s clients would be concerned and worried about their personal information being accessed by malicious hackers.
Media reports that the agency’s management was already warned about the vulnerability, which hackers could use to perpetrate an attack was ignored. According to the CEO of SenecaGlobal, Ed Szofer, the cybersecurity breach against the agency was especially bad since the firm had been notified about the vulnerability that needed rectification using Apache Struts (Robbins & Sechooler, 2018). The company had received the information long before the breach but failed to mitigate the risk, leading to the attack that affected the organization and its clients.
Recommended Solutions/Control Enhancements
Information security threats can be mitigated when the right information and resources to correct the vulnerability are available. The beginning step is the identification of the gap in security through a vulnerability assessment (Mills & Harclerode, 2017). The process should be regular and also implemented when the company makes significant changes to its information system. Upon identification of such a problem, the information security professionals working for the organization should implement effective measures to fix it, hence avoid potential threats. According to Solove and Citron (2017), many information security threats occur due to unresolved gaps in security. In the case of Equifax, the vulnerability was already identified, leaving the information technology management team with the responsibility of implementing corrective measures. However, the professionals failed to mitigate the threats leading to the massive breach in security and access to personal information.
The agency would have prevented the information security breach by implementing an effective policy for regular vulnerability assessment and steps to rectify such problems if identified. Efforts to protect the company and its clients from such violations of information security require a shift in culture as well as investment of resources in bridging gaps in information security. For instance, while Equifax received a warning about the potential breach due to systematic vulnerability, it lacked the right culture to ensure investment and use of the correct processes to mitigate information security risks (Mills & Harclerode, 2017). Thus, the organization should have a team of professionals specializing in assessment and detection of security threats to the agency’s information system to deal with emerging issues urgently, and hence, prevent the adverse incidents. Such measures are effective in ensuring that significant risks are avoided, while security breaches towards the organization and its clients are minimized if they happen.
Conclusion
Information security challenges have increased due to the growing interconnectedness of computers and the internet. Hackers and other malicious attackers have increased opportunities to breach information security within the organization and at any other point in the network. The attack on Equifax in 2017 is a recent example of such an event that affected the agency’s information system, risking access to information of millions of its clients. The attackers used a known vulnerability trend in the information system, which could have been addressed if the agency had a team of professionals and resources specialized in securing the network.
References
Bernard, T.S., Hsu, T., Perlroth, N., & Lieber, R. (2017). Equifax Says Cyberattack May Have Affected 143 Million in the U.S. The New York Times. Retrieved from https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
Mills, J. L., & Harclerode, K. (2017). Privacy, mass intrusion, and the modern data breach. Fla. L. Rev., 69, 771.
Robbins, J. M., & Sechooler, A. M. (2018). Once more unto the breach: What the Equifax and Uber data breaches reveal about the intersection of information security and the enforecement of securities laws. Criminal Justice, 33(1), 4-7.
Solove, D. J., & Citron, D. K. (2017). Risk and anxiety: A theory of data-breach harms. Tex. L. Rev., 96, 737.