No doubt by now you’ve heard the disastrous story of the Equifax breach.

We know the following facts: Equifax, a large credit reporting company, discovered a flaw in the Apache Struts framework for its for its online U.S. dispute portal on July 29. The company announced on Sept. 7 that attackers had obtained access to the personal data of up to 143 million U.S. customers. The data include social security numbers, names, addresses, birthdates, and credit card numbers and drivers licenses in some cases. Equifax customers are piling on a slew of slew of class-action lawsuits, and multiple top Equifax executives have resigned as the company scrambles to show transparency and alleviate concerns.

Our publication discussed the immediate lessons that businesses and their partners can take out of the Equifax data breach earlier this month, but more and more analysis has become available to us in the weeks following the initial announcement. Several data and security experts spoke to us about the long-standing repercussions of the breach and the implications for small businesses and the technology advisers who support them.

Authentication

Comodo’s Carlos Solari

Members of the Comodo Threat Intelligence Lab discovered Equifax customer and non-company system employee credentials being sold on the dark web. Attackers had infiltrated the Equifax portal with upgraded pony exploit malware that takes a snapshot of the login information to steal some of the information. The Comodo team says it also discovered passwords for non-company systems like LinkedIn and DropBox that contained corporate email addresses.

There are two main points of concern that Comodo raises.

The first is that many of the stolen passwords were too simple. The passwords tended to lack the proper length and variety of uppercase and lowercase letters.

Carlos Solari, Comodo’s vice president of cybersecurity services, says most companies consider a password’s length acceptable if it reaches 12 characters. Solari says this number should be closer to 24.

“You don’t necessarily need the complexity of asterisks and pound [signs] and lots of other kinds of less used characters, but length is the most important,” he told Channel Partners.

The simplicity of the passwords first means that they are easily guessable, but it also means the users are likely recycling those credentials.

Comodo’s David Liff

“That’s normally indicative of people who are using the same passwords on many different systems,” said David Liff, Comodo’s vice president of marketing. “Hackers out there would have known that and would have used these identities to try to work out [how many things] they can get into.”

The users whose other account credentials resemble theirs for Equifax are in further danger of theft. And the ability of a threat actor to …

… access social media accounts opens up the possibility of posing as the victim for phishing purposes.

“The lesson that we believe you can learn from that is don’t use very weak passwords and definitely don’t use your identity on non-corporate systems, because it absolutely exposes you to the possibility of being coerced,” Liff said.

The End of SSN?

AvePoint’s Dana Simberkoff

Dana Simberkoff, AvePoint‘s chief risk, privacy and information security officer, says the stolen social security numbers represent one of the most understated problems in data protection. She argues that social security numbers and birthdays are an outdated method of identifying someone.

“And this is something that we’ve known is a risk for a really long time, and the fact that this is still a way that we handle identity — that should be talked about more. Because we have much more secure ways of doing it, and still today all these years later, your social security number and your birthday [are] the keys to unlock your identity. Not only online, but around your doctor’s offices and all kinds of places, and it just shouldn’t be anymore,” she said.

Simberkoff says there are plenty of authentication alternatives to using social security numbers as identifiers.

“The iPhone is coming out with facial recognition technology. We have all kinds of two-factor authentication that we can do through computers, through our fingerprints, through biometric data,” she said. “We have so many different options for identifying who a person is in a way that is far less likely to be compromised than a paper.”

David Liff agrees that biometrics could be the best way to identify customers. And he says change is already on its way in many major firms.

“Post-Equifax, many of the banks that issue credit cards already started to consider what other points of data they can use that have not been collected centrally,” he said.

Regulation

Experts suggest that America is on track to follow the path of Europe in the area of customer data compliance. Although measures like mandatory breach reporting exist in the U.S., companies across the pond must keep in line with far more stringent measures when handling their clients’ personal information.

“If you go to a restaurant in the U.S.A. today, you give your credit card in the bill to the waiter, who walks off with your credit card. In Europe there are regulations that say that cannot happen,” Liff said.

The European Union will soon implement the General Data Protection Regulation (GDPR, which you can learn more about in further detail), which could be a template for …

… U.S. data compliance. Simberkoff says she can envision a future U.S. where customers prioritize data privacy and security when picking out vendors. And this attitude will be driven by laws that incentivize stronger data policies and infrastructure and punish the opposite.

She says companies like Equifax that handle massive amounts of data deserve that kind of scrutiny.

“The world seems to be moving forward stricter, sterner measures toward companies that don’t put good controls in place,” she said.

“And quite frankly, I don’t think there’s much of an excuse not to do it. When you’re a custodian of somebody’s else’s information, you have an obligation to have it … they have data about citizens that we don’t necessarily give consent for them to have. They just get that. They have a right to get that data because of the nature of what they do. And to me, that creates a higher obligation for them to protect it.”

Partners

It is a more and more accepted fact that small and medium-size businesses are just as targeted as large companies like Equifax. One study by Verizon says SMBs account for 61 percent of breach victims.

Simberkoff says the Equifax breach makes life more difficult for small businesses, namely because of an “erosion of trust” that comes from consumers hearing about large-scale security failures. She says SMBs also need to address their customer information protection protocols because of how data is being commoditized in today’s society.

“No matter what the line of businesses you are in, the economy is being fueled by personal information, by the data that you hold,” she said. I think almost all businesses today are in some manner digital businesses, and that’s why breaches and identity theft are increasing.”

And in this data-driven world, partners can help guide businesses that lack significant in-house IT resources. Simberkoff says partners and their customers should adapt the “best practices and principles of good data governance and good data life-cycle management” with the same fervor as large enterprises.

“One clear message that this should send to smaller businesses and the partners that support them is that you cannot protect everything from everybody, so you need to understand what is important to protect,” she said. “To do that, you need to understand the data that you hold.”