Social security numbers, birth dates, addresses, driver’s license numbers.
The recent Equifax data breach made the sensitive personal information of 145.5 million Americans vulnerable to cyber criminals, placing the victims at risk of identity theft.
For businesses, the threat of data breaches is an ever-present reality with potentially devastating consequences, and the Equifax incident has brought the conversation to the forefront.
“(Hackers) now have some of the information on the employees or on the business itself due to the breach,” said Jon Hermanson, sales engineer at Racine-based CCB Technology Inc. “The information that they’re going to be able to glean from that is not necessarily direct technical information, but they can get into other things.”
While some businesses – particularly smaller companies – may assume they are impervious to attack, Hermanson said, they need to be proactive about preventing it and be prepared to respond if one does occur.
“A lot of times they don’t immediately attack, but they will sit there for two to three years and just look and wait for the opportune moment,” Hermanson said. “So in order to protect from that, we’re telling companies to make sure that your firewall is updated, make sure your anti-virus is updated. A lot of smaller companies think they’re not going to be affected by this and they don’t take the time or spend the money to make sure it’s up-to-date. But hackers are always two steps ahead, so it’s key to prepare.”
Hermanson said he has seen multiple incidents in which lapses in cybersecurity protection nearly upend businesses.
“We had a business locally here that had a managed service company that they ended up letting go, but they didn’t realize the backup was being done by (the company) on the device and they got CryptoLocker (a ransomware attack), unfortunately, and it archived all their files for the business,” Hermanson said. “When we said they would have to delete everything and go from backup … the company hadn’t had a backup in close to two years. So you’re looking at a 15-year-old family-owned company that almost lost everything. It can be catastrophic.”
Keeping backups current is an important measure for businesses to take, Hermanson said.
“If you are attacked, some viruses you’ll have to pay $3,000, whatever they demand, or everything is deleted,” Hermanson said. “So make sure your backups are also up-to-date and working.”
Hermanson said moving some vital information to the cloud will also protect a business in the case that a backup device is affected.
“We’re seeing a lot of nonprofits and charities putting that information into the cloud so they don’t have to manage it and worry about it,” he said. “It’s one way of eliminating the need for an IT professional that you don’t have.”
Another important hedge against attack is training employees to spot and avoid traps and reminding them of security procedures. Breaches can be avoided, Hermanson said, by following a simple rule: if it looks suspicious, don’t click on it.
A common hacker tactic is to slightly alter an email domain, so once an employee clicks a link in an email from a seemingly familiar address, the hacker can gain access to information.
“I can’t stress enough, the internal procedures that your employees and sometimes customers adhere to is vital,” he said. “If it looks suspicious, don’t click on it.”
In the wake of the massive Equifax data breach, Jean Pierre Biagui, a Milwaukee-based certified identity theft risk management specialist, says a quote from former FBI director Robert Mueller rings true: “There are only two types of companies: those that have been hacked and those that will be.”
Biagui said he’s seen heightened concern following the breach.
“I’ve been getting a lot of calls, mostly from companies, because a lot of them are worried about their employees,” he said. “Half of the U.S. population has been affected by this. So if you have run credit, Equifax has your information.”
Even for those not directly affected by the Equifax breach, Biagui said, the possibility of personal information being compromised is ubiquitous. Job applications, insurance enrollment, online purchases – all make an individual’s information accessible.
“Your information is out there,” he said. “If you have filled out an application, your social security number, address and birth date are on there. If you didn’t get that job, did you really get your information back? You did not. Somebody has your information.”
Meanwhile, the Equifax breach has left many people seeking solutions to protect themselves from identity theft.
Brian Wickert, president of Butler-based Accunet Mortgage, and his wife were among those affected.
Upon learning his data was hacked, Wickert underwent a time-intensive process of protecting his credit identity.
“What I did took some time, but I decided I didn’t have a choice,” Wickert said.
Wickert said he discovered enrolling in LifeLock’s standard monitoring program wasn’t enough, comparing it to a good alarm system that alerts the user when something has already gone wrong.
Wickert decided to freeze all three of his and his wife’s credit records, which required him to complete the lock process a total of six times – three times for himself and three times for his wife via the Equifax, TransUnion and Experian credit bureaus’ websites.
Biagui recommends the “three-pronged stool” approach of monitoring possible identity theft, securing a fraud investigator to fix the problem, and finding legal representation, noting that the majority of identity theft issues will require access to legal counsel.
The Equifax breach also could have downstream effects on businesses, according to Jeff Olejnik, director of risk advisory services for Wipfli LLP.
“Businesses are going to need to be very cautious and alert for identity theft and people utilizing fake credentials,” he said. “Companies that extend credit – including financial institutions – or retailers that extend credit to your clients for purchases – you have to have heightened awareness that you have to do additional due diligence because someone might be using false identification.”
Employers will also need to be more scrupulous in the hiring process, Olejnik noted.
“Somebody might be presenting an inaccurate or false identification, driver’s license or social security number,” he said. “So it will have some implications on businesses, especially for businesses that have requirements for different security clearances.”
