After Equifax, why are cat photos safe but not our SSN?
Security-minded consumers should demand businesses take security seriously, or take their business elsewhere, experts say.
Why are your cat pictures on Facebook better protected than your entire personal financial history on Equifax? Or, apparently, private data on the SEC's servers that could have been used for illegal trades?
The last time Facebook had a breach was in 2013 — and that wasn't even a hack; the company accidentally published 6 million users' phone numbers and email addresses. But some of the biggest organizations entrusted with the most sensitive data are getting hacked and nobody can stop them.
Or can they?
Security experts say the smartest companies out there are proactively budgeting for security and employing multi-layered approaches to prevent, detect, and respond to network intrusions. Others... aren't. Or they may only invest after they've already been hacked.
But there are some basic best practices businesses should follow. And security-minded consumers should demand they do or take their business elsewhere, experts say.
For starters, to catch hackers, try hiring some.
Keys to the Kingdom
D.J. Vogel, a partner at Sikich security and compliance practice firm, said that when they're hired by a hospital to conduct "penetration testing" they might pose as a patient and attempt to get in that way. Or ask for the hospital to give them one of the doctor's laptops to simulate what would happen if that computer got lost or stolen.
It's a wake-up call for executives when they realize, "Hey, we gave these guys no access — and they got the keys to the kingdom," Vogel told NBC News.
Hackers are always looking for weak links. Hackers breached an energy company in Ukraine using fake Word documents that were designed to look like resumes. Cybercriminals use fake Twitter accounts to impersonate customer service reps and trick customers into divulging their banking information. And just a few months ago, digital thieves broke into a casino through its internet-connected fish tank.
When the Panama Papers breach surfaced, it turned out the law firm Mossack Fonseca they came from hadn't patched its blogging and server software. Afterward, Mossack Fonseca blamed the intrusion on "an international campaign against privacy."
When the WannaCry ransomware virus spread around the world through older versions of Windows in March — at around the same time as the vulnerability that lead to the Equifax breach was first discovered — Microsoft President and Chief Legal Officer Brad Smith blamed government entitites for hoarding system flaws to use for their own purposes, which then fell into the wrong hands.
"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," wrote Smith at the time.
The intrusions are ramping up: 2016 was a record year for data breaches, with over 1,000 reported data breaches at U.S. companies and government agencies, a 40 percent increase since the year before.
"How many of the Fortune 500 are hacked right now? The answer: 500," Mikko Hypponen, chief research officer at F-Secure Oyj, told Bloomberg in 2015. "They all have security breaches, big or small. If you have a big enough infrastructure, you won’t be able to secure all of it."
The Equifax breach shows how companies need to speed up their update cycles. Most consumers know to keep their own iPhone and iTunes up to date, so why can't corporate America keep the systems protecting valuable data up to date?
Less sophisticated companies likely "don't have proper change practices to apply patches on a weekly basis. They're probably lucky if it's on a biannual basis," said Jonathan Jaffe, a cybersecurity and compliance consultant at PriceWaterhouseCoopers.
For what it's worth, Equifax does face a data security paradox.
"Equifax has the challenge of protecting confidentiality and integrity of records," wrote Chris Hoofnagle, a professor at the University of California, Berkeley, School of Information and the School of Law. "In confidentiality, it is difficult because it has to provide instantaneous access to a very large, diverse group of report users and to the consumers themselves."
That's why other experts recommend following a protocol known as Privileged Access Management. Instead of users getting passwords on the system itself, they actually log in to a separate system. Then that system itself logs into the main computer and controls the password, changing the real access password every few minutes.
In the event of a breach, the stolen password would only be good for a few minutes.
"If I want to drive your car to a 7-Eleven, first you look at my ID and make sure I am who it says I am," explained Jaffe. "Then you give me a set of keys to drive, you track those keys via GPS, and once you come back and the next person wants to drive, I give them an entirely new set of keys."
Otherwise, typically, "Companies hand out privileges to tech folks, or non techies, and never take it away," independent cybersecurity expert Bob Sullivan told NBC News. "Down the road they have no idea who can do what."
Another strategy that companies can use to lower the possibility of a breach is Data Loss Prevention, or DLP, which alerts you when unusual activity is detected on the network. For instance, if the normal course of business is one record being accessed at a time, and all of a sudden 100,000 records are being accessed... then klaxons need to go off.
Of course an alarm only works if someone pays attention to it. The problem with "DLP" is that companies tend to underinvest in it, experts say, putting a low-level person in charge of it who just clicks through the alerts while sipping coffee and moving on to the next task.
If DLP was installed and being properly watched on Equifax's systems, it could have set off warnings earlier on that gigabytes of data were being slurped by an outside agent.
Lastly, there are third-party intrusion detection teams that companies can contract with, sort of like a Sloman's Shield for your system. They can shut down suspicious activity on the incoming ports and send the internal team a wake-up call when any kind of sustained drain is detected.
It Boils Down to Money
But it really comes down to the bottom line. Security costs money. And until it becomes a "job-threatening event," said Jaffe, most companies will instead try to keep their costs down.
There's no one holding these companies' feet to the fire. Though Equifax contractually requires its vendors to adhere to a strict, prescriptive set of data security protocols known as PCI-DDS, which includes frequent patching, there is no one making Equifax follow the same rules, experts say.
"Compliance typically drives security budgets," said Vogel. For institutions like Equifax and the SEC, "The market is not mandating specific security initiatives," because they aren't subject to regulatory or market forces mandating it.
Perhaps most importantly, from the consumer side, customers lack consistency when it comes to demanding better security. After the massive Home Depot hack in 2014 and the 2013 Target data breach, sales temporarily went down at both retailers. Then they recovered.
By not voting with their feet, consumers are sending companies the message that even massive cyberattacks don't really matter.