Long before Equifax suffered an embarrassing data breach that compromised the personal financial records of more than 143 million people, the U.S Department of Homeland Security (DHS) designated October as National Cyber Security Awareness Month (NCSAM). The DHS’s stated intent with this designation is to “engage and educate public and private sector partners through events and initiatives to raise awareness about the importance of cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.” Given the scope of the Equifax breach, the DHS and its partners may want to step up their efforts.
The 2017 NCSAM will focus on several themes, including simple steps that can be implemented to improve online security, expanding cybersecurity awareness to all employees in a business, cybersecurity challenges in view of new technologies, cybersecurity career opportunities, and critical infrastructure protection from cyberattacks. In keeping with the broader theme of awareness, some cybersecurity analysts have also emphasized the importance of earlier detection of a data breach. One software engineer, for example, has noted “once you hear about something like [Equifax] on the news, it’s way too late. Hackers have probably been [in those accounts] for months. They have a way of getting into these systems that leaves no tracks.”
Businesses can certainly raise the bar against cyberattacks by focusing on the first two themes of this year’s NCSAM, namely, taking a few simple steps to improve online security and engaging all employees in the business’s cybersecurity efforts. Implementing multi-factor authentication for system logins, requiring employees to use strong passwords that are changed frequently and that are used only for signing in to the business’s networks, and restricting how employees log into a business’s networks from remote locations will all impose a higher level of security over its systems.
Engaging employees in a business’s cybersecurity efforts involves regular training and education to minimize the negligence and errors that can launch an email scam or ransomware attack on a business. Hackers have become adept at sending email messages that appear to come from company executives. Email phishing scam awareness needs to be at the top of every employee training effort to help employees recognize the difference between a scam and a genuine email message. Employees should also be encouraged to report suspected or actual cyberattack incidents as soon as is possible without fear of repercussions in the event that an employee mistake gives hackers access to a system to launch a cyberattack.
Equifax has been criticized for everything from its cybersecurity defenses prior to the breach to its handling of the breach after it was discovered. The breach itself was made possible by Equifax’s failure to patch a known flaw in a web application-building tool for more than two months after it became aware of the flaw. Even if that flaw had been repaired, neither Equifax nor any other company that holds and maintains critical data can prevent every attempt to breach their systems. The NCSAM themes implicitly acknowledge this in that they include considerations of how to recover from a data breach.
Rebuilding lost or damaged systems and managing customer relationships following a breach will be costly and time consuming. Insurance companies that provide cyber security quotes to businesses understand that data breaches are a reality of doing business in an online environment. The DHS may not be explicitly recommending cybersecurity insurance as part of National Cyber Security Awareness Month, but smart businesses everywhere are adding cybersecurity protection to their insurance coverage. Cyber security awareness necessarily includes preparations for recovering from a data breach, including having the financial resources to compensate for losses and liabilities. Cyber security insurance can make that compensation available.