What the Equifax hack can teach startups about cybersecurity

Growth

Online breaches have become the new normal. Here’s how to protect your company

On Sept. 5 credit reporting service Equifax revealed that criminals had hacked and accessed personal data for approximately 143 million of its customers.

The attack may not be one of the biggest breaches in history but could be one of the most dangerous. The hack exposed highly sensitive personal information — social insurance numbers, credit card details, and addresses — for anyone that used its services from May to July 2017. The hack also affected 100,000 Canadians and included  “limited personal information” for customers in the U.K. and Argentina.

Aside from the much-publicized toll the attack took on the company’s reputation, the exposure also hit its bottom line. Equifax stock dropped eight per cent almost overnight. Meanwhile, its downward stock trajectory isn’t likely to stop anytime soon considering three company executives are being investigated for insider trading.

As of right now, things don’t look great for the 118-year-old company. However, it’s not all bad. The incident serves as a reminder of what not to do when it comes to cybersecurity.

“It’s all part of running an online business,” says Shane Murphy – cofounder of Law Scout, a Toronto-based law startup — about potential breaches. “You can’t always avoid hacks so you need a strong privacy policy within your company.”

There are no shortcuts when it comes to cybersecurity plans. However there are some tricks companies can implement to limit exposure, he explains. Here are a few things entrepreneurs can start doing today.  

Create an all-encompassing privacy policy

It’s in every business’ best interest to have their own cyber policy. It should include: What to do immediately after the information is accessed, 2) How to share that information with the public and 3) Evaluate its legal options.

Being upfront with customers about what could happen after a hack can help mitigate future lawsuits.

Privacy policies should always anticipate a hack. They’re the best defense and show that [a company] has taken serious and reasonable precautions to prevent a breach,” Murphy explains. “It should be on your website and disclose what type of information you’re collecting, how you’re using it and then a step beyond that how you’re storing that and how users will be notified in the event of a breach.”

Train your employees to recognize fraud

There’s no technological replacement or solution that trumps common sense. Phishing scams try to trick employees into sharing sensitive information. However, they can be stopped with the right type of employee training.

Phishing attacks work by installing malicious software or disguising an attacker’s identity so it mimics a trusted source. Both large institutions and small businesses have fallen victim to these sophisticated (and sometimes not-so sophisticated) schemes over the years.

One easy way to avoid them is to provide employees with the skills they need to spot fraudulent communication in their tracks. Some tips include not opening emails from unknown sources and using only secure websites that feature ‘https’ or display a ‘padlock’ icon. Last, but not least, avoid digital communication that features time-sensitive or urgent requests for wire transfers.

Better understand the services you’re using

Providing the best cyber security means continuously updating what partner companies and services you rely on. Vetting the providers your company uses is paramount since nowadays breaches come from all sources.

For instance, many companies rely on cloud computing services to store complex data. These services are usually provided through third-parties that follow their own security protocols.

Startups should always analyze their partners’ privacy policies. If necessary press for better security protocols, especially if your businesses deals with sensitive information. “If your business is going to be collecting that type of sensitive  information you’re going to be held to a higher standard,” says Murphy.

Recommended reading