LexisNexis Breach — Lessons in Small Business Patching

In late February, data analytics company LexisNexis Legal & Professional suffered a data breach in which the threat actor responsible used an unpatched application to access the company’s Amazon Web Services infrastructure. While LexisNexis L&P claims the data leaked was minimal, this breach still serves as an important reminder of a critical security principle:

If a company as large as LexisNexis L&P can fall victim to such a simple vulnerability, what’s to say your business won’t?

“It Won’t Happen to Me” is a Dangerous Misconception

For reference, LexisNexis takes in an estimated $2.6 billion each year. A billion-dollar company was taken down by a simple missing patch.

Unfortunately, too many business owners assume one of two things:

• Cybercriminals will only seek to target larger businesses
  …or…
• The statistical probability of their business being targeted is low enough that they are safe

Either assumption is grossly inaccurate. First and foremost, we’ve seen businesses of all sizes struck by cyberattacks, so business size clearly isn’t a shield by any stretch.

As for the second point, the idea that there are so many targets that you don’t need to worry about being victimized is obscenely short-sighted… primarily because there’s still an inherent lack of appreciation of how capable modern cybercriminals truly are with the tools now at their disposal. Instead of manually seeking out open doors to networks, checking for vulnerabilities one by one, automated tools and tactics allow ne’er-do-wells to identify and infiltrate targets en masse.

It doesn’t matter if the target is the small family business down the road or a massive Fortune 500 company. An open door is an opportunity.

Patch Management is a “Now” Priority

Patch management—or installing any software and security updates that are available for tools and services currently in place—is a critical element of preserving your business’ security. Let’s say a new threat is developed that one of your critical business tools is vulnerable to, and in response, the developer of that tool creates a fix for that threat. This fix is what is called a patch. By installing it, the threat or vulnerability is resolved.

Here’s the thing, though… these patches and other updates need to be installed.

Generally speaking, developers will send out notifications that announce the existence of a new patch. That’s where their responsibility ends. It is on you, as business leadership, to make sure these patches and updates are applied in a timely manner. What happens if you don’t? Your critical business technology is left vulnerable.

How to Better Secure Your Business

Let’s go over three essential steps for proper patch management that ultimately keep your business much safer than it would otherwise be.

1. Maintain an accurate inventory. You and your IT team need to be aware of the software your team uses throughout the workday. Not only does this reduce the impact that shadow IT can have, but it also helps ensure that all patches and updates are applied appropriately.
   
   
2. Automate patch application. Keeping track of patches and similar updates can be challenging. One option is to enable your systems to automatically apply these patches so it doesn’t need to be handled manually.
   
   
3. Enlisting professional support. Outsourcing patch management responsibilities to external providers like OnSite I.T. ensures that your necessary patches are applied correctly.

Don’t Follow LexisNexis’ Example… Protect Your Data By Maintaining Your Defenses

We’re here to help. Preventing a breach is far more affordable than dealing with one, after all. Reach out to us at (403) 210-2927 to learn more.