Securing Organizational Data from Cyber Attack

Diagnosing Cyber Vulnerabilities of Systems that Support an Organization's Supply Chain

Introduction

Cybersecurity has become a critical concern for organizations of all sizes and industries. With the increasing dependence on technology, cyber threats are becoming more sophisticated and frequent, posing a significant risk to organizations and their customers. In recent years, numerous high-profile cyber breaches have occurred, affecting major corporations and compromising sensitive information. One such example is the Equifax breach that occurred in 2017, which exposed the personal information of nearly 150 million consumers (Wang & Johnson, 2018). This paper will discuss the Equifax cyber breach, the importance of cyber defenses, and applicable government requirements.

Background on Equifax

Equifax is one of the largest credit reporting agencies in the world, collecting and storing sensitive information, including social security numbers, birth dates, addresses, and credit card numbers. On September 7, 2017, Equifax announced that it had suffered a massive data breach, affecting nearly 150 million people. The breach was the result of a vulnerability in Equifax's website software, which the company failed to patch in a timely manner.

The vulnerability in Equifax's software that allowed for the data breach was a known weakness in the Apache Struts web application framework. Apache Struts is an open-source framework that is widely used to build web applications. In this case, the vulnerability was a result of a flaw in the way that Apache Struts processed user-supplied data. Attackers were able to exploit this vulnerability by sending specially crafted requests to Equifax's web application, which allowed them to execute arbitrary code on the server. This vulnerability had been discovered and patched several months before the breach occurred, but Equifax had failed to apply the patch as soon as possible. As a result, the attackers were able to gain unauthorized access to Equifax's systems and steal sensitive personal and financial information.

As a result, cybercriminals were able to access Equifax's systems and steal sensitive information. The sensitive information that was compromised included names, addresses, birth dates, Social Security numbers, and driver's license numbers. In addition, approximately 209,000 individuals had their credit card numbers stolen, and approximately 182,000 had personal dispute documents accessed (Dongre et al., 2019; Wang & Johnson, 2018).

The Equifax data breach had significant consequences for both the individuals whose information was compromised and for the company itself. For the individuals affected, the breach resulted in the theft of sensitive personal information that could be used for identity theft or other fraudulent activities (Dongre et al., 2019). For Equifax, the breach led to numerous lawsuits, investigations, and a significant loss of trust among its customers. In response to the breach, Equifax took several (late) steps to address the issue and prevent similar breaches from happening in the future. These steps included improving its data security systems, and increasing transparency and communication with the public. However, the company faced criticism for its initial response to the breach, which was seen as slow and inadequate. In the wake of the Equifax data breach, government agencies at both the state and federal levels launched investigations into the breach and the company's response. The Federal Trade Commission, for example, fined Equifax $700 million for its failure to protect consumers' personal information. This was one of the largest fines ever levied by the FTC for a data breach (Dongre et al., 2019).

Importance of Cyber Defenses

The Equifax breach highlights the importance of cyber defenses for organizations. In today's globalized, digitized, and complexly interconnected world, a single breach can have far-reaching consequences, not only for the affected organization but also for its customers and partners and all stakeholders. Therefore, it is essential for organizations to implement robust cybersecurity measures to protect their systems and data. This includes regularly patching software, using encryption to protect sensitive information, implementing multi-factor authentication, and conducting regular security audits.

For that reason, the importance of cyber defenses and organizational hardening in an organization's supply chain cannot be overstated. Organizations need to be prepared for cyber attacks; it is part of the cost of doing business in the digital age. Preparation means having and testing robust safeguards put in place to protect data and systems. Cyber defense measures such as encryption, two-factor authentication, and password management are essential for protecting against malicious actors. Plus, organizations should invest in organizational hardening measures such as user access control, patching of systems, and continuous monitoring of the IT environment. These measures help protect the organization, its data and systems, and its customers. By taking these steps, organizations can ensure that their supply chain remains secure and protected from cyber threats (Wang & Johnson, 2018).

However, there is one other area that organizations have to remember to focus on—and that is end-user protections. While organizations can take numerous measures to secure their systems and data, one of the biggest risks to cybersecurity often comes from within the organization itself, in the form of end-users. End-users, such as employees, contractors, or even customers, can pose a significant risk to an organization's cybersecurity. This is because they may be unaware of the latest cybersecurity threats and how to protect against them, or they may engage in risky behavior, such as using weak passwords or clicking on suspicious links. For instance, employees may accidentally download malware onto their computer by clicking on a phishing email, or they may reuse the same password for multiple accounts, making it easier for cybercriminals to gain access to sensitive information.

There are several common end-user risks that organizations need to be aware of, including phishing scams, weak passwords, unsecured personal devices, and social engineering. Phishing scams are emails or messages that appear to be from a legitimate source but are actually designed to trick the recipient into giving away sensitive information. Additionally, many end-users continue to use weak passwords, such as "123456" or "password," making it easier for cybercriminals to gain access to their accounts. Moreover, many end-users may use personal devices, such as smartphones or laptops, to access work information, and may not have adequate security measures in place to protect that information. Finally, social engineering refers to the use of psychological manipulation to trick individuals into revealing sensitive information. For example, an attacker may pose as a customer service representative and ask for an end-user's password.

To reduce the risk of end-users compromising an organization's cybersecurity, it is essential to educate and raise awareness among end-users. This can include regular training sessions on the latest cybersecurity threats and how to protect against them, as well as implementing security policies and procedures to guide end-user behavior.

Applicable Government Requirements

Governments around the world have recognized the importance of cybersecurity and have implemented regulations and standards to protect sensitive information. In the United States, for example, the Federal Trade Commission (FTC) enforces privacy and data security laws, while the Securities and Exchange Commission (SEC) has issued guidance on cybersecurity disclosure. Other countries have similar regulations and standards, including the General Data Protection Regulation (GDPR) in the European Union and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.