It’s important that we learn from failure. Whether it’s our own, or someone else’s, each mistake serves as a valuable lesson. In IT, these issues can be disastrous. As a result, it’s vital to not repeat these errors.
In a short series of blog posts, we’ll be discussing some major failures as well as the information we can glean from these events. We’ll examine what happened. By doing so, you’ll learn how you can ensure you don’t follow in their footsteps.
Table of Content
|Part 1||How Operational IT Failure Crippled Equifax|
|Part 2||Natural Disasters Come in All Sizes|
|Part 3||Phishing Scam Costs MacEwan University 12 Million Dollars|
|Part 4||Insights and Moving Forward|
Part I – How Operational IT Failure Crippled Equifax
Most recently, Equifax suffered a massive breach that could impact millions of people. Today, we’ll be examining this event and learn what kinds of operational failures caused this event to occur and what security lessons we can learn.
What Caused The Breach?
Equifax claimed that the breach was due to a vulnerability in the open-source Java web development tool known as Apache Struts. However, while vulnerabilities did exist in the platform, they were quickly patched. It’s possible that this was caused due to a slow patching process by Equifax, allowing the vulnerability to remain unsolved.
It’s also possible that this was caused by a zero-day. Zero-day is a term that’s been derived from how long a vulnerability has been known, and therefore how long vendors and programmers have had to solve the issue. In this case, zero-day vulnerabilities mean that no one previously knew about the issue, so no solution could possibly be implemented. These vulnerabilities are highly valued by malicious hackers, governments, and the company that developed the software in question. While it’s possible that a zero-day was at fault here, it’s highly unlikely that this was the case.
If, as Equifax claims, the vulnerability was created due to Apache Struts, then this is still no excuse. Any single vulnerability in a web program should be safeguarded by rigorous security controls throughout the program, to ensure that this couldn’t happen, especially for a company that handles such sensitive information.
Most likely, this breach was caused by negligence on Equifax’s part. They didn’t apply nearly enough security levels throughout the business, lacked operational procedures to help identify and mitigate attacks, and didn’t have enough basic IT protocol to protect their customers.
How Can These Mistakes Be Made?
It’s easy to think that all these cybersecurity breaches we hear about won’t happen to you, but that’s an extremely dangerous assumption to make, especially for organizations who handle such vital information like Equifax does. This is especially true as there’s a 27% chance that any given business will experience a breach within the next two years. It’s important to remember that you’re always vulnerable to breaches, and should pursue more and better security solutions to make yourself a less attractive target and help defend your business should an attack occur.
Clearly, this is what Equifax DIDN’T do. They couldn’t be bothered to patch their Apache Struts program for over two months since the vulnerability was discovered. For an organization that handles financial information, this is a dangerous amount of negligence. Given that, it’s not surprising to learn that they’ve been notified of a cross-site scripting vulnerability since 2016. This demonstrates a sadly common lack of commitment to maintaining tight security measures throughout all levels of a business.
An attitude towards security like this isn’t caused by just one, or even a few people. It’s a problem that starts at the top and permeates throughout the business. Likely, many IT staff felt the existing security measures weren’t adequate but the culture dissuaded them from speaking out. For these businesses, security costs are seen as a burden to minimize, not as protection to maximize.
How Expensive Are Breaches Like This?
Large-scale breaches like the one recently suffered by Equifax have a variety of resulting costs.
There’s the cost of downtime, which can be incredibly expensive. It can vary wildly from industry to industry and from business to business, but almost every major business reports that each hour of downtime costs at least $100,000. For heavily technology reliant sectors like finance, these downtimes can cost millions per minute. Large scale breaches result in many hours of downtime, resulting in huge amounts of lost productivity and therefore massive costs and losses in revenues.
While downtime is a significant portion of the costs of a breach, there’s also potential litigation costs to consider. If the breach is significant enough, and it’s determined to be the fault of the business, then legal action may be undertaken by customers. It’s impossible to say how much this may cost you, but these expenses are almost always significant and require significant time and resources to combat.
Far more nebulous to determine is the brand damage businesses suffer from a breach. Your consumers will invariably lose faith in your business, which can seriously impact your future business operations well after the breach has been solved and damages paid.
Because of the various sources of expenses, the impact that breaches of this magnitude have is difficult to measure. While you may not know exactly how much you’ll suffer, one thing is clear; you cannot afford to be put in this situation.
How Can I Protect My Business From Operational IT Failure?
Now that you understand the consequences of not being protected, there are many different solutions available that can help enhance your security.
One of the most popular solutions to enhance security is to use comprehensive software asset management services. This kind of IT software solution can help you choose the software you need and help you manage each tool to ensure maximum efficiency.
Another great service that your business can benefit from is end-to-end security solutions. These IT security software and hardware services help to enhance your security with powerful tools.
For our next post we’ll examine how natural disasters can come in all shapes and sizes, but are all equally capable of causing significant damage to IT systems.
In today’s entry, we’ll be discussing how natural disaster can cripple a business, or even force it to close its doors.
Part II – Natural Disasters Come in All Sizes
Whether it’s a hurricane, an earthquake, or even just a small fire, disasters can and do happen. Big businesses spend a lot of resources protecting their IT assets and critical information. It’s easy for smaller, local businesses to think that they’re adequately protected from these threats or they’re too small to be impacted by disasters like hurricanes, flooding, and earthquakes.
Businesses of all sizes with IT assets on site typically think they’re safe, as servers are duplicated and in different areas of their offices. However, as you’ll soon see, this isn’t enough.
How A Clinic Averted Catastrophe
Lakeshore Clinic, a medium-sized healthcare facility located in Bothell, Washington had a close brush with disaster in September of last year. The neighbouring apartment complex was in the middle of construction, and caught fire in the night. Unfortunately, the fire spread to the clinic and other nearby businesses, causing millions of dollars worth of damage.
Thankfully, Lakeshore had acquired comprehensive disaster recovery services, and, therefore, avoided loss of access to their systems or the irrevocable loss of patient information.
What could have happened if they didn’t have these services in place?
It’s difficult to say for certain but it’s likely that the clinic would, at a minimum, be unable to treat patients properly for a long period of time. Precious information would have to be reacquired from patients. The consequences could have been be far worse, with the potential permanent closing of the clinic the likely outcome.
This isn’t the traditional disaster, like hurricanes and power outages, that you think of when you think of an emergency situation. As a result, you need to be vigilant against every potential form of disaster, and learn from experiences like this to protect your business as best you can.
The Impact of Hurricanes and Other Disasters
Recently, the world had a sharp reminder of the potential impact disasters can have on businesses and people in the form of Hurricane Irma. The storm knocked power out for more than 7.4 million homes and businesses for weeks as utility companies focused on getting power back to urgently needed areas first, such as hospitals.
As a result, businesses were ground to a halt. Organizations based in the area who didn’t outsource their systems or those without a proper disaster plan were unable to operate at all or lost valuable data.
The inability to operate for any length of time, let alone a period of multiple weeks, can cost businesses thousands or even millions of dollars. Because of this, investment into disaster protection services that can get you back up to full speed within minutes of an outage is vital.
This is especially true as nearly 40% of all businesses that close due to a disaster, never reopen. Clearly, you can’t risk being unprotected, and the consequences that can bring.
How Can You Protect Your Business From Disaster?
Protecting your business’ data is vital to its continued functioning. Even if your offices are seriously damaged, and cannot be used, your business can still run remotely; allowing you to continue operating, even if at less than maximum capacity.
This is true for both smaller, locally-based businesses, and large enterprises with many different offices. With disaster recovery services protecting your data and systems, you can suffer minimum downtime and lost revenues.
Why Disaster Recovery Services?
Disaster recovery services are a powerful way to protect your assets and information against catastrophe. However, many businesses fail to recognize the desperate need for backup services.
For instance, it’s recently come to light that the NYPD doesn’t have any form of backup in place for its evidence database. The information contained in this database is irreplaceable, and could potentially result in the solution of many open cases.
If the NYPD doesn’t have backup for something so critical, where potentially lives could be at stake, it’s scary to think about what important information and systems aren’t protected in other businesses.
Don’t make the mistake that these organizations do.
It’s not a matter of if disaster will strike, but when.
Whether you need remote hosting for your vital systems to allow for continued operations in the event of downtime, or backup protection of your information, make sure you contact experts who have the knowledge needed to ensure protection.
In our next post, we’ll look at how human errors can have disastrous consequences for your IT security and how you can protect your business from phishing attacks.
This is the third release from our series, in which we’ll be examining some critical IT failures, in addition to insights we can gain. Today, we’ll discuss the ramifications of human error in dealing with phishing attempts and how you can avoid it.
Part III – Phishing Scam Costs MacEwan University $12M
Over 75% of businesses were a victim of phishing attacks in the last year, highlighting how dangerously common they are.
In late August, MacEwan University was hit by an $11.8M phishing scam. In today’s entry into cases when IT fails, we’ll examine how this happened and how you can help prevent it happening to you.
How did the scam happen?
A series of phishing emails claiming to be from one of the university’s vendors convinced three low-level staff to alter banking information. Clark Builders, the vendor which the fraudsters impersonated, had been working closely with the university for over a decade, and has been involved in several major projects with the university in the past, including the consolidation of their various campuses. Clearly, the two have had a long working relationship.
The fraudsters carefully copied the official brand guidelines, logo, and any information that would be in a legitimate Clark Builders email. They used this to convince staff at the university that Clark had changed some of their critical financial information, and that updates needed to be made to ensure proper payment could be processed.
The three low-level staff failed to separately contact or verify that the emails were legitimate with the vendor or any more senior employees before proceeding, allowing the fraudsters to succeed in their phishing attempt.
Once updated, three separate payments were made to the fraudsters. The first payment was made on August 10th, for $1.9M. On August 17th,the second payment went through for $22,000. The last payment, made on August 19th, was for the remainder, amounting to $9.9M. The issue was only found after Clark Builders reached out to the university asking why it hadn’t been paid.
Ultimately, the scam was a success, not because of the cleverness of the phishing attempt, but human error and a lack of proper controls made it possible.
How could this have been prevented?
There are two ways that MacEwan could have successfully protected themselves against this phishing attempt. The first, and most important, is to properly train staff to be aware of the methods used by fraudsters to mislead their victims. They should be careful when dealing with any form of external email — especially one with attachments or links.
Independent verification should be taken before any requested changes are made to systems that have vital importance, in order to ensure that the source of the request is legitimate.
Employees should take care to never click any links or download files that aren’t from completely trusted, and verified sources. This is especially important as 30% of all phishing emails get opened.
Many people are ignorant or dismissive of the danger that their negligence can create. As a result, you need to evaluate your employees existing knowledge and diligence, and then plan a training program that addresses any shortcomings. Even a strongly worded memo can go a long way to raise awareness.
There’s also the matter of dealing with problem staff. Whether out of willful neglect or unconscious complacency, problem employees could bypass procedures and reduce the effectiveness of your protection against phishing. The best way to handle these cases is to ensure incentivization is in place so that proper completion of procedures is maintained. In addition, designate specific roles who are responsible for monitoring these initiatives.
The second way that you can reduce the possibility of a successful phishing attack is by implementing proper controls. For instance, in the case of MacEwan, if procedures had been set out that require key personnel from each party confirm that a significant change was requested before completing or rentereing of confidential payment information, then this issue wouldn’t have happened.
Unfortunately, neither method is practical for many smaller or medium sized businesses who either lack the IT expertise or resources to ensure thorough training and procedures are implemented. Unfortunately, this may be the right conditions for an accident waiting to happen.
Protect your Business from Phishing
Because most organizations lack the expertise to handle this themselves, it makes sense to hire IT consultants who can help you identify areas of weaknesses in your business. Services like this gives your business the benefit of a fresh perspective that has proven effectiveness.
In our next, and final entry into this series, we’ll examine key takeaways from each of our previous entries that you need to know to ensure your IT doesn’t fail you.
Today, we’ll discuss each of the major insights we’ve gained from this series, and how you can integrate them into your business.
Part IV – Insights and Moving Forward
Equifax’s Failure to Implement Security
In our first entry, we learned how Equifax failed to address a security flaw in one of its systems, resulting in millions of people’s financial information being exposed. The breach it suffered was caused by negligence as they hadn’t implemented nearly enough security controls to ensure that the sensitive information they housed was safe.
Equifax failed to pursue the minimum security standards required when handling sensitive financial information. They didn’t bother to patch Apache Struts, the program in which the vulnerability was concealed. Two months had passed since the vulnerability was discovered when the breach occurred, so they had ample time to patch the software.
Ultimately, this vulnerability wasn’t fixed because of an organization-wide negative attitude towards the value of security. If this wasn’t the case, then the issue, once discovered, would have been fixed immediately. They saw security and IT as a cost that they had to endure, and therefore minimize, instead of a source of protection to maximize.
How Can You Prevent Yourself From Being The Next Equifax?
The consequences of a breach like this are severe. It’s likely that, if Equifax survives this debacle, they will never be as trusted and successful as they once were.
If your business has a culture that promotes the importance of security, along with the expertise needed to ensure it’s properly implemented, then you likely already have the solutions you need to be a tough target for malicious hackers. However, if, like most organizations, this isn’t the case, then you need services and experts who can protect you from software vulnerabilities. Software asset management solutions can help you keep your business from suffering the way Equifax did.
MacEwan University’s Embarrassing $12M Phishing Scam
One of the university’s vendors, Clark Builders, was impersonated in a series of phishing emails. The emails, which closely approximated standard Clark Builder’s email branding, convinced staff that Clark’s payment information needed to be updated. Once that was done, three separate payments were made to the updated information.
The three payments, $1.9M on August 10th, $22,000 on August 17th, and the last for $9.9M on August 19th, were made to the fraudsters before Clark Builders called and asked why they hadn’t been paid yet. Only then did the school become aware that they’d been fooled.
The scam was a success, not because the fraudsters were uniquely clever, but because there was a distinct lack of proper controls in place to validate significant changes before following through on them.
How Can You Learn From MacEwan’s Embarrassment?
There are two ways you can prevent yourself from being a victim, the way that MacEwan University was. The first is to focus on training your staff so that they can distinguish between a phishing attempt and a legitimate email. While this isn’t foolproof, it can significantly reduce the amount of bad links and lazy phishing attempts that you’ll need to worry about.
The second way you can protect your business is by implementing strict controls about changes requested, to ensure that anything significant, like the changes requested by the fraudsters, are verified by both parties.
If you’re lost as to how to implement these protections, contact well known IT consultants. They’ll be able to identify areas of weakness in your security and recommend solutions that can keep you safe from fraudsters and malware.
A Small Clinic Nearly Lost Everything
In September of last year, Lakeshore Clinic, a healthcare facility, nearly lost all it’s vital systems and information. The neighbouring building caught fire in the night and, unfortunately, it spread to the clinic. Thankfully, they’d recently acquired comprehensive disaster recovery services. Because of that, they lost little functionality and no information, as everything was protected.
However, if they hadn’t been protected, they’d have lost irreplaceable patient data and been unable to deliver treatment to locals for some time.
How You Can Protect Your Business From Disaster
These types of disasters are a far cry from the devastation that huge events, like a hurricane, can cause, but they happen all the time.
It’s easy to think that this won’t happen to your business, but the impact an event like this can have is gigantic. Being protected can save your business huge losses, or even closure. As a result, it’s well worth investing into a comprehensive disaster recovery solution.
A reputable disaster recovery service will get your core operational systems online, and give your employees the tools they need to continue to run the business, even if disaster does strike. Don’t risk losing everything when issues arise.
Why Managed IT Services Are The Perfect Solution
The trend in all these cases is clear: You need to be protected. Whether it’s a breach caused by negligence, a phishing scam that exposes a lack of controls, or a disaster, you cannot assume you’re safe. Even now, businesses around the world are suffering from a lack of protection.
In all of these cases, managed IT is a great solution that’s already being widely used. In fact, nearly 70% of all small businesses already use some form of managed IT solution. These businesses see that they can’t match the technical expertise of these companies for such a low cost. If they didn’t, they’d need to hire an in-house IT solution, but this is costly and less effective, as you’re limited to one individual who may get sick or seek other work instead of leveraging the expertise of a whole team who can cover gaps.
Even for companies that have a lot of technical expertise, managed IT makes sense. That’s because your staff can be more productive when they don’t have to worry about putting out IT-related fires.
Most of all, managed IT services can help protect you from the situations each of the previously mentioned cases suffered from. A competent managed IT services company will ensure that your software is up-to-date and protected, helping to prevent breaches like the one that Equifax suffered from. They’ll also be able to provide complete protection against phishing attempts as well as consult on training to ensure you avoid falling for phishing schemes. Finally, managed IT services companies can provide disaster recovery services, allowing you to remain productive in the event of an emergency.
It’s vital that you work with a trusted managed IT services provider, so you can focus on other areas of your business while remaining completely protected. Contact PCM when you decide to ensure the safety of your business.