An Executive's Guide to Software Security: Lessons from Equifax’s (Preventable) Security Breach
Yesterday, the CEO of Equifax resigned after 143 million Americans personal data was compromised in a security breach. Since I own a company that focuses on upgrading custom software, I’m getting lots of calls from concerned executives wondering if their systems are secure. After all, if Equifax could get hacked, that makes you think what would happen if your customer data was compromised, right?
Here’s the biggest thing you need to know — the Equifax breach was preventable.
Let’s look at the timeline of events for context:
- March 6, 2017 - Flaw in the Apache Struts framework was fixed
- March 9, 2017 - hackers exploit vulnerabilities for several days
- mid-May 2017 - Equifax’s data is breached because the fix isn’t implemented
- September 7, 2017 - Equifax announces that 143 million accounts were exposed
- September 26, 2017 - Equifax CEO steps down
Could Hackers Get Your Company’s Sensitive Data?
In the case of Equifax, let’s use the metaphor of a home to help us understand how they could have prevented their customers’ data from being compromised.
Imagine you owned a home and the company that built the lock for the front door had a registration form so that you could get notified for recalls. You never send it in because you’re busy working on other things. A few years later, there’s a recall. The company discovered a way for folks to easily break in, but you never got notified because you didn’t sign up.
You see news reports of thieves going up to houses that have this lock and trying to break in, but you still ignore it. Again, you’re busy and it falls to the bottom of the to-do list. Then you come home one day two months later to find your home broken into. The big filing cabinet where you kept the names, addresses, and social security numbers of 143 million of your friends has been stolen. Four months after the break-in, you figure you’re probably not going to be able to get that information back so you decide to finally come clean and tell your friends what happened.
If your company has custom software (and most do these days), it’s your responsibility as the executive to be aware of the types of security risks so that you can protect your customer’s data. Yes, there are absolutely people that you can hire to help you implement the details, but there are some basic technical concepts that you need to know. Here are three:
1. Budget for Maintenance
Too many companies make software maintenance an afterthought, allocating significant resources to feature development and leaving modernization as a nice to have. This practice has its roots in the days when it was difficult and rare to deploy a new version of software, but is wholly outdated in today’s landscape.
Again, let’s use the metaphor of a house. When we think of the cost of a house, it’s not just the mortgage. Responsible owners set aside a portion of their mortgage every month and put it into a maintenance account. They know that the roof will need to be replaced, the HVAC system will eventually putter out, and the driveway will need to be sealed. None of these activities is especially glamorous, but they’re important nonetheless.
2. Protect Your Data
While there are several tactics for data protection, the first is actually quite fundamental. Don’t collect more information than you need. It’s tempting in an age of data-driven business to feel like you need to store as much as possible, but this often means you’re more susceptible to a hack as well.
In our home analogy, it’s the difference between a home that looks tempting for a thief to break into and one that doesn’t.
Encryption is another data protection tactic. Encryption is essentially a lock that you use so that your data can’t be read without a key. Using the home analogy, this is like having your most valuable items inside a safe.
Keep in mind, this should be met with a huge caveat. Encrypting data isn’t enough. Even with data encrypted, the right kind of vulnerability can still expose your data, which is why monitoring and updating your application regularly becomes essential.
3. Monitor Your Dependencies
Security professionals use the term “attack surface” to describe the potential risk to a system. Your app’s attack surface is much bigger than the code that your team has written. It’s your code plus all the dependencies your application relies on.
It’s incredibly rare to have a software system that doesn’t rely on a large number of dependencies. Use dependency managers (sometimes called “package managers”) and monitoring tools to notify you of any dependencies that have known vulnerabilities. You can even engineer your system to automatically update your dependencies without any human intervention, meaning your system is secure regardless of whether or not your engineering team is in the office.
Imagine in our home analogy that your lock automatically updates itself while you’re on vacation and sends you a notification. That’s the level of security that you should be setting up. It takes a bit more planning, but it’s well worth the effort.
Where To Learn More
Getting to this self-healing solution takes executive leadership and strategic planning. October is National Cyber Security Awareness Month, which is a great time to learn more about how to keep your company safe. Places such as Stay Safe Online and The Security Awareness Company are great places to start because keeping your company’s information safe starts at the top.