Credit card safety after Equifax hack

Equifax Hack 101: What You Need to Know to Keep Your Credit Safe

Credit plays a ubiquitous role in our lives. What can we do when the systems we trust fail us?

Corporate cyber security breaches are more common than many people realize. The recent headline-making Equifax data hack affects upwards of 143 million Americans, making it one of the largest risks to personal information to date. This breach is leading consumers to question their safety from identity theft and whether credit bureaus and ancillary companies have their best interests at heart.

 What happened?

Equifax is one of the three biggest credit reporting agencies that collect consumer credit information. You don’t have to submit any of your personal information to Equifax for them to have it—if you’ve applied for a car loan, mortgage, or credit card, Equifax likely has your data in their system.

A vulnerability in an Equifax web application framework, Apache Struts, was discovered and disclosed in March of 2017. At that time, patches were implemented, though these efforts did not completely solve the problem and in late July suspicious traffic was noted. According to their press release about the breach, Equifax’s security team then “investigated and blocked the suspicious traffic that was identified.” Three days later (August 2, 2017), Equifax hired Mandiant, an independent cyber security consulting firm, to evaluate the damage.

After analyzing the scope of the breach, Mandiant discovered that personal information of 143 million Americans had been exposed, along with credit card numbers of 209,000 Americans, dispute documents for 182,000 Americans, and various information of certain United Kingdom and Canadian residents. In direct response to this analysis, Equifax provided a site for consumers to check whether their information may have been compromised and subsequently sign up for a free year of credit monitoring.

How is Equifax handling the situation?

Some of Equifax’s actions haven’t been viewed optimistically. A public relations nightmare ensued after the discovery of an arbitration clause in Equifax’s Terms of Use.  The language apparently waived the rights of consumers who signed up for credit monitoring to sue Equifax in relation to the security breach. It took Equifax until September 13 to release a statement that they had removed the offending clause from their Terms of Use.

Executive personnel changes also followed in the days after the hack disclosure. However, allegations of insider trading that purportedly took place after the breach was discovered have not yet been publicly addressed.

On September 20, several sources reported that Equifax incorrectly linked customers to a fake website designed to look like the signup site for credit monitoring.  Fortunately, the person who set up the fake site did not have malicious intent, but the situation revealed how easily criminals could take advantage of Equifax’s oversights and gather even more personal information.

What’s the damage?

Unfortunately, unlike many previous cyber security incidents, the type of data gathered in this breach will have a serious impact for years to come.  Criminals now have their hands on Social Security numbers, records of open credit accounts, and other personal data from Equifax’s stockpile of consumer profiles.  Attackers can now build targeted spear phishing attacks that, if executed well, will seem extremely legitimate to many users.

Will credit monitoring prevent my information from being compromised?

In short, no. Credit monitoring does nothing to prevent thieves from accessing your personal information.  It only keeps an eye out for suspicious activity regarding your credit file. Many credit bureaus and agencies advertise the service for a fee. The free year of TrustedID Premier offered by Equifax in light of this most recent breach also provides identity theft insurance, which covers up to $1 million of certain expenses, such as legal fees, related to recovering your credit information in the event of theft.

There likely won’t be any negative effects from submitting your information to Equifax and enrolling in the free year of TrustedID Premier, but until a few days ago the site was infamously broken. Some users reported receiving different messages depending on the device used to submit their inquiry. Equifax claims it fixed the site on September 13.

If you are already fastidious about monitoring your lines of credit, there’s not much to be gained by sharing additional personal information and enrolling in free credit monitoring. The olive branch from Equifax is welcome but may not make a significant impact depending on the consumer.

What other steps can I take?

There are two big moves anyone can make at any time to protect their personal information—submitting a fraud alert or requesting a credit freeze. Both actions are effective in ensuring criminals don’t have easy access to your credit, though they work in different ways.

You can request a fraud alert by contacting the credit bureaus (Equifax, Experian, TransUnion, and a smaller but still significant bureau, Innovis), but you must provide varying amounts of paperwork and personal information before your application is complete. This must be done independently for each company.  Once your fraud alert is in place, lenders can still access your credit information but they can’t grant credit in your name without contacting you first.

If you don’t want your credit files to be viewed by anyone other than yourself, applying for a credit freeze is the way to go. Even though new lines of credit can still be applied for in your name, none can be opened unless you “unfreeze” your credit files to give access. Again, this process must be completed at each credit bureau.  Consumer Union offers a thorough how-to guide on placing a security freeze on your credit files and what fees you should expect depending on which state you live in. Unfortunately, many states require fees to lift a credit freeze as well; this means you might have to pay every time you want to move or apply for a car loan. However, the costs associated with this protection are much smaller compared to the time and trouble involved with being a victim of identity theft.

Those affected can also seek legal recourse. A firm in Oregon has already filed a class-action lawsuit against Equifax, claiming that the company failed “to maintain adequate electronic security safeguards as part of a corporate effort to save money.” At least 23 other lawsuits are in the works, filed in 14 states and the District of Columbia. A federal panel will review and likely combine these cases into a single lawsuit. If class-action status is granted, affected customers will be able to join.

Even if Equifax deems you unlikely to have been impacted by the hack, it would be wise to use this opportunity to evaluate the security of your credit information and keep a closer eye on your credit scores.

Anderson Technologies is a St. Louis cyber security company that specializes in protecting client data. For more information on our services, email info@andersontech.com or call 314.394.3001 today.

Network Security Audit Managed IT Services

What Is a Network Security Audit?

You can’t improve your IT processes and keep your data secure without a complete picture of your IT infrastructure. By conducting a network security audit, you’ll understand what is working and what needs to be improved so you can proactively get ahead of issues and improve your systems.

Cyber security threats are on the rise. Small businesses need to take cyber security seriously.

A network security audit, sometimes referred to as an information security audit, is a technical assessment of your IT systems. It’s conducted by a professional IT firm that uses physical processes and digital solutions to assess the quality and security of your business network environment, including your operating systems and all your applications.

When you work with a managed IT services or IT consulting company, a network security audit is an important fact-finding step, akin to a look under your car’s hood by your mechanic. It’s a way for the managed IT firm to get a complete picture of your business and spot potential holes in your security that could leave you vulnerable to hackers.

As part of a network security audit, your IT partner may conduct an IT infrastructure audit—an assessment of your IT architecture that covers areas beyond cyber security, such as performance and cost-savings opportunities. Both processes are complicated and technical, but the results don’t have to be. Your managed IT partner should be able to present its findings in plain English and recommend easy-to-understand actions based on the report.

A network security audit should include review of the following:

  1. Firewall

The IT partner should review your firewall configuration, check for security vulnerabilities, and make sure it is being patched regularly with the necessary firmware updates.

  1. Anti-Virus and Anti-Malware Software

The audit will determine if all systems, including your servers, are protected by updated anti-virus and anti-malware software.

  1. Active Directory

Microsoft’s Active Directory is a centralized way of managing all the users, computers, and security policies on Windows domains. Your business should be managing its Active Directory on an regular basis, which means removing inactive computers and user accounts from the system as needed. This helps reduce security threats posed by stale accounts with network access and passwords that never get updated.

  1. Password Approach

The audit will determine the effectiveness of your company password policy. For example, are you prompting your employees to use strong passwords and routinely change them? Are you deactivating previous employees’ accounts promptly? These are crucial components of cyber security.

  1. Backups

Every company needs a process for backing up business-critical data and testing it regularly to ensure effectiveness. The audit will review your approach and pinpoint any shortcomings in your strategy.

These are just some of the aspects of a comprehensive network security audit. To identify all security vulnerabilities, your IT partner will also review your approach to data sharing, remote connectivity (how your employees access company assets when they are home or traveling), and internet content filtration (whether you block sites that violate your company’s internet policy).

Why a Network Security Audit Should Include an In-Person Assessment

The network security assessment should pave the way for a blueprint of your IT security plan. At Anderson Technologies, our experts use the audit to identify critical risks and help our clients prioritize their resources.

When conducting a network security audit, Anderson Technologies installs a sophisticated software tool on the client’s server to probe the network, gather information, and compile findings. Additionally, its experts go onsite to review the client’s setup in person. That is the only way you can truly assess the health and performance of IT equipment and ensure systems are wired correctly. For example, a software probe can’t tell you if too many systems are running from the same power source or if someone has plugged a space heater into the same surge protector as the computers, a common mistake in the winter months.

Next, the firm analyzes all the digital and on-the-ground findings and boils them down to key takeaways and prioritized action items for business owners. That is when the network security audit really proves its value—when it helps a business and its managed IT services partner find ways to stay safer and improve the business’s IT infrastructure.

Anderson Technologies is a St. Louis managed IT services and IT consulting company that performs network security audits and IT infrastructure audits for clients. It specializes in making meaningful recommendations based on findings and working with clients to improve their approach to cyber security. For more information on the company’s services, email info@andersontech.com or call 314.394.3001 today.

Cyber Security on Mobile Devices

Quotables: Security on the Go: Protecting the Data on Your Mobile Devices

We recently published a guest article about protecting data on mobile devices.

Read our full guest contribution on TechSpective’s website:

https://techspective.net/2017/05/18/security-go-protecting-data-mobile-devices/ 

Are you in need of expert IT consulting?  Anderson Technologies is a St. Louis IT consulting firm that specializes in system administration for small businesses.  Let us help you today!  Give us a call at 314.394.3001 or email us at info@andersontech.com.

What are Quotables?  This is a category in our posts to highlight any publications that benefit from our expert IT consulting advice and quote us in articles for their readers. 

Jamplast Office 365 Email Migration

Taking Email to the Cloud: A Behind-the-Scenes Look at an Office 365 Email Migration

This St. Louis business enlisted Anderson Technologies to migrate its email hosting to the cloud and to provide ongoing managed IT services so it could have more peace of mind.

Denise Rathbun, director of operations at Jamplast, first learned of Anderson Technologies when she received an invite to one of its free cyber security trainings, which it hosts for local businesses and community members.

Jamplast is a leading distributor of raw plastic materials and biopolymers based in the St. Louis area with a distribution center in Mt. Vernon, Indiana. Last spring, Rathbun began meeting with companies so she could choose a partner to help with an Office 365 email migration and to provide managed IT support. She invited Anderson Technologies to submit a proposal.

In the end, Rathbun chose Anderson Technologies because she was impressed by its people and setup, and she appreciated that it was a family-owned, local St. Louis business. “We were looking for a partner that would be proactive and make suggestions and recommendations before problems arise. Anderson Technologies seemed like a good fit,” she says.

Anderson Technologies kicked off the partnership by conducting a network audit, in which it examined Jamplast’s IT infrastructure and made recommendations for improving security and performance. Jamplast had been having trouble with its email reliability and connectivity, and its team was interested in moving to a cloud-based solution.

“Our email system went down every time we lost power,” explains Rathbun. “This was detrimental to our sales team. It was hard for them to perform their job when they couldn’t send or receive email.”

After assessing Jamplast’s architecture and needs, Mark Anderson, principal of Anderson Technologies, suggested migrating to a Microsoft Exchange Online Plan, which is part of the Office 365 product suite. With Office 365 services, email is hosted in the cloud, rather than on a physical server onsite. This means email services aren’t disrupted if the building loses power or its connection to the internet. It also adds a level of security since emails are backed up in the cloud and makes it easier to access email remotely.

A Fast and Secure Approach to Better Email

Before Anderson Technologies began the Office 365 email migration, it suggested improving Jamplast’s backup processes. “They found the fastest and best option and ensured no data would be lost during the migration,” says Rathbun.

Anderson Technologies had to make sure all users had updated versions of Microsoft Office prior to the Office 365 email migration since some versions are not compatible with Office 365.

Securely migrating all Jamplast’s email, contacts, and miscellaneous data was a massive undertaking. The Anderson Technologies team worked “extremely hard to minimize downtime during the transition,” says Rathbun. “Luke Bragg [senior systems administrator] did a great job of explaining technical issues in a way that made sense to non-technical people.”

Today, the Jamplast team has peace of mind knowing its email is set up, and backed up, properly. Rathbun appreciates the security of having a dependable managed IT services partner, especially since ransomware and other cyber threats are on the rise in St. Louis and beyond. She notes that from time to time, Jamplast employees receive phishing emails, in which cyber criminals try to trick recipients into clicking nefarious links that would infect their computers with viruses.

“It is nice knowing you have an IT partner that has your back, and that if something did happen, they would be able to get you back up and running quickly,” she says. “I can’t imagine life without that or without Anderson Technologies.”

Rathbun adds that she values the level of customer care she receives. “After the Office 365 email migration, Mark Anderson called to get my thoughts and to make sure we were taken care. I don’t think you would get that type of service from a larger company.”

Are you considering an Office 365 email migration? Anderson Technologies is a family-owned  managed IT services company in St. Louis dedicated to providing quality service and exceptional care. Contact us today by emailing info@andersontech.com or calling 314.394.3001.