By Sarah Fruy
Today’s tech strategy dictates the inclusion of cybersecurity into every layer of organizational technology. Rising threats targeting sensitive information and the growing efficiency of hacking methods puts data security top of mind for many companies who want to protect personal details gathered from customers. Furthermore, the expense of security vulnerabilities and exposure is a lot more now than just five years ago, with the average cost of a data breach coming in at a whopping $3.86 million last year.
So, how do you prevent your business from making the next security breach headline? Former Portland Webworks Systems Administrator and DevOps practitioner, Lyle McKarns, spoke about the importance of data security in his blog post on how security must be a process and not a product. McKarns encouraged companies to approach data security with a process-driven mindset and use it as a lens to analyze the entire technology ecosystem. We agree that it’s critical for tech leaders to make data security an organizational practice instead of adding it as the cherry on top of mounds of sensitive customer data.
Five commonly dismissed security risks
At Pantheon, I work with partners like GovWebworks to empower clients to get the most out of our tools, and security is a huge part of this process. The ability to recognize these five commonly dismissed security risks can make all the difference in identifying your most costly organizational vulnerabilities. And then we can help you to do something about them.
1. HTTPS certificates aren’t being fully managed
One of the worst data breaches that occurred in the modern digital era was the 2017 Equifax data breach, which went unnoticed for 76 days because of an expired certificate. The breach resulted in the assailants accessing the personal information of at least 145.5 million people. According to the U.S. Government Accountability Office, attackers obtained unapproved access via the internet to Equifax’s online dispute portal, which housed documents used to resolve disputes. Equifax lacked the ability to inspect web traffic running through its own network, which concealed the 76-day old security breach.
Equifax’s data breach investigation shed light on four major factors: the identification, detection, segmenting of access to databases, and data governance that allowed the hacker to gain access to the network and extract information from databases containing personally identifiable information. Expired certificates are a security death warrant for any company’s data, and Equifax would have discovered the 2017 attack much sooner if it wasn’t for an expired digital certificate.
Solution: To prevent such breaches, a certificate management program is a critical part of any data security strategy, and HTTPS certificates should be a fully managed, automated process that requires little to no configuration.