It could happen to anybody, if we’re honest with ourselves. Even if you have procedures and personnel to monitor security notices and apply patches, relying on all of that operating flawlessly every single day is just not realistic.
Twenty years ago, the Struts Framework was widely used to build enterprise Java applications, and if you really use Struts, it is like mold — it winds up in your application’s roof, drywall, cabinets, and basement. And that is one of the big difficulties with fixing this problem — rewriting a major application can easily cost $20 million. It never seems urgent, and who has $20M sitting around to fix something that “ain’t broken”.
Well, actually, the architecture IS broken. And continuing to sit there with a target painted on your back doesn’t seem wise.
Phil Muncaster at Infosecurity Magazine has an interesting update on the Equifax data breach here. Here’s an attention grabber: “[Equifax] has agreed to spend at least $1bn on improving its cybersecurity posture over the coming five years. It will also need to fund several years of credit monitoring from Experian and its own services for class members. That could amount to an extra $2bn if all 140 miilion+ customers sign up. … The total could creep up towards $10bn — a cautionary tale for organizations tempted to focus on business growth at the expense of cybersecurity and risk mitigation.
‘This settlement is the largest and most comprehensive recovery in a data breach case in US history by several orders of magnitude,’ wrote district judge Thomas Thrash.
‘The minimum cost to Equifax of the settlement is $1.38bn and could be more, depending on the cost of complying with the injunctive relief, the number and amount of valid claims filed for out-of-pocket losses and the number of class members who sign up for credit monitoring.’”
A BILLION dollars for Cybersecurity “posture improvements”? Wow…. Makes our Struts2Spring offering look pretty darn good! We can take that Struts target off your back, update your Java, and cut your risk of data breach. Please reach out to us here.