No business owner wants their customers’ data leaked, but no matter how well your prevention plan is, the unexpected can happen. And when it does, what will determine the fate of your business is how well you respond to it. So before you start planning an incident response, read the following story and recite this: Don’t walk in the footsteps of Equifax.

What happened to Equifax?

Equifax, the huge American credit agency announced in September 2017 that its database was hacked, resulting in a leak of tons of consumers' private data, including personally identifiable information of around 143 million US citizens. It included names, social security numbers, addresses, birthdates, and credit card and driver’s license numbers.

Equifax responded by setting up a new site, www.equifaxsecurity2017.com, to help its customers determine whether they had been affected and to provide more information about the incident.

Soon after, Equifax’s official Twitter account tweeted a link that directed customers to www.securityequifax2017.com, which is actually a fake site.

Fortunately for Equifax’s customers, the fake phishing site was set up by a software engineer who wanted to use it for educational purposes and to expose flaws in Equifax’s incident response practice. So, no further harm was done to the already-damaged customers, and Equifax is left with even more embarrassment.

So what did Equifax do wrong?

One of the huge mistakes Equifax made in responding to its data breach was setting up a new website to give updated information to its consumers outside of its main domain, equifax.com.

Why? You first need to know that since the invention of phishing scams, phishers have been creating fake versions of big companies’ websites. That’s why so many major corporations buy domains that are the common misspellings of their real domains.

You should also know that phishers can’t create a web page on the company’s main domain, so if Equifax’s new site was hosted there, it’d be easy for customers to tell whether the new page was legitimate and not be fooled by a fake domain name.

What’s obvious from this embarrassing misstep is that Equifax had never planned for a data leak. And this is an unforgivable oversight by a company that handles the information of over 800 million consumers and more than 88 million businesses worldwide.

Don’t repeat Equifax’s mistake

Whether your business is a small startup or as big as Equifax, it needs to prepare for a data breach. Besides having a comprehensive network defense plan, you also need to have the right incident response plan in place.

So what you should do after you’ve discovered the leak is, first of all, be upfront with your customers and notify them as soon as possible.

You also need to establish a message that includes the following information:

• How the leak occurred
• How the leak could affect your customers
• How you will prevent future attacks
• What your company will do to support affected customers

You should also create a web page to keep your customers up to date. But remember, the new web page should be under your company’s primary domain name.

As we’ve seen from Equifax, an incident response plan that's robust is a must. Feel free to talk to our experts about how you can come up with an acute one -- so you won’t have to repeat Equifax’s apologetic statement, since it doesn’t help the company redeemged reputation at all.

The post Equifax’s Leak: lessons learned appeared first on Complete Technology Resources, Inc..

From mobile apps that assist with taking medicine on time to smart appliances that monitor vitals, the Internet of Things (IoT) is becoming ubiquitous in healthcare. However, IoT’s expansion brings new risks, vulnerabilities, and security challenges for healthcare practitioners and their patients.

IoT security risks
Devices that contain a treasure trove of patient data are attractive targets for cybercriminals. Healthcare apps, for instance, contain plenty of sensitive information, including social security numbers, prescriptions, and medical histories. Should hackers ever get a hold of this information, they’ll be able to create fake IDs to buy drugs or medical equipment to resell.

In certain cases, an attacker could have direct control over IoT equipment, causing potentially lethal results.

In 2011, Johnson & Johnson warned patients about unsecured insulin pumps that allowed hackers to make unauthorized insulin injections. Even more terrifying, the FDA recently discovered almost half a million pacemakers were vulnerable to attacks and can be controlled (or shut down) remotely.

Vulnerable medical devices are also gateways to a secured network. Hackers can use compromised IoT devices to sneak ransomware and other types of malware onto a network, causing service disruptions and preventing practitioners from providing responsive treatment.

There are, however, a few things you can do to defend against these attacks.

Use multi-factor authentication
Multi-factor authentication forces users to provide more information than just their username and password (e.g., SMS code, fingerprint, or retinal scan). By enabling this on your networks and devices, hackers will have a more difficult time accessing mission-critical data.

Encrypt your data
Another way to protect your business and your patients from a massive data breach is with encryption. Encoding electronic health records while they’re being transmitted or left in storage prevents hackers from reading and stealing sensitive information.

If possible, everything that is transmitted across your network should be encrypted automatically to secure the communication between IoT devices.

Install intrusion prevention systems
Since most IoT attacks are delivered via the internet, intrusion prevention systems are crucial to identify and block anomalies attempting to gain access to your network. This means hackers who try to remotely access or shut down your IoT equipment will be stopped before they damage your systems.

Security updates
Last but not least, IoT manufacturers occasionally release security patches for their gadgets. Get in the habit of downloading these updates as soon they’re rolled out to ensure your device is safe from the latest threats.

When it comes to security, healthcare institutions have their work cut out for them. But whether you’re dealing with hardware security, data privacy, or compliance, it’s a good idea to partner with a managed services provider that specializes in helping the medical industry.

Call us today to see what we can do to protect you and your patients.

The post IoT security challenges for healthcare appeared first on Complete Technology Resources, Inc..