Data breach numbers on the rise
Year after year, data breach numbers keep growing. According to the Identity Theft Resource Center’s 2021 Annual Data Breach Report, in 2021, organizations reported 1,862 data breaches, compared to 1.108 in 2020.
While the biggest data breaches like Equifax or Yahoo! make the headlines, it’s not necessarily about the numbers. For small businesses, a seemingly minor security breach can have serious consequences leading even to closure. In the case of volatile industries, the type of sensitive data that is lost, such as credit card numbers, financial information or medical data, may incur huge fines as well as have a major impact on the owners of this type of data.
The rising number of data breaches can be attributed mostly to growing criminal interest in data. The more we go towards a digital society, the higher the value of data for criminals. A leak of confidential information such as social security numbers along with other personal data and/or PII can allow cybercriminals to assume identities in the digital world easily.
Most data breaches are, indeed, a result of criminal activity. Phishing and ransomware are cited) as the primary security threats and root causes of data compromises.
Anatomy of a cyberattack
Lack of understanding of cybersecurity could be one of the main reasons why not all organizations have sufficient data breach prevention. And this could be partially attributed to the media, which focuses on popular terms such as phishing and ransomware and makes many believe that if they are well-protected against these two types of cyberattacks, they can rest their minds. Unfortunately, that is very far away from the truth.
Almost every cyberattack is a complex chain of activities that involves not just computers but primarily humans and their weaknesses. A cyberattack that leads to a data breach may take a long time, even several months, and may mean the attacker establishing holds on resources, doing reconnaissance, and using many different techniques on the way.
For example, an attacker could start by finding a cross-site scripting (XSS) web vulnerability in one of the minor websites owned by the organization, such as a marketing website. At the same time, they would discover the organizational structure and select key users as targets. The targeted users would then be hit by a spear phishing attack that would use the previously found XSS. The lack of data loss prevention (DLP) would make it possible for the user to expose their login credentials to the attacker. Then, the attacker would check whether the same credentials work for different systems and could find out that they could gain access to the organization’s primary business web application. This unauthorized access could lead to the attacker finding more security risks, gaining more permissions, and ultimately installing a web shell that would let the attacker run commands using the web server’s operating system. This would, in turn, make it possible to install ransomware.
As you can see, ransomware is just a tiny final step of the attack, and no amount of ransomware protection software would help if the previous steps could be executed by the attacker. The media, and even ITRC, treat ransomware as a root cause of data breaches, not focusing on the fact that ransomware must first somehow make way into the systems somehow through weaknesses in computer systems and human behaviour.
Prevention through complete coverage
To avoid situations like the example above, organizations must make sure that their security policies focus on comprehensive protection and are not just there to meet compliance requirements. Unfortunately, many organizations go only as far as to pass audits and assessments, which results in a lot of the attack surface being covered inadequately.
Cybersecurity should be treated exactly the same way as physical security – there’s no advantage of installing extra locks on the door if the window could easily be broken. The challenge for many organizations is the fact that cybersecurity is a very complex subject and it’s difficult to find all these windows and doors. And the current cybersecurity talent gap is not helping organizations that struggle to hire well-educated and experienced security managers.
Here are some of the areas that are often left insufficiently protected:
The human factor remains the greatest risk for cybersecurity. Education helps to reduce human error, negligence, scams, and phishing, but even if you train employees well, it won’t help prevent intentional malicious acts. Malware protection software is not nearly enough to stop humans from causing harm through their intentional and unintentional behaviour. It must be paired with other solutions such as data loss prevention (DLP) software. The former prevents the installation of malicious software on the endpoint, while the latter prevents the manual sharing of sensitive information outside of the business, for example, via social media as well as moving it off the laptop hard drive to portable media without sufficient data protection (encryption).
The first stages of cyberattacks most often focus on the human factor but some of them start by finding weaknesses in the computer systems. While just a few years ago it was mostly a matter of network security and updating your systems as soon as security patches are available, the move to the cloud and the abundance of web technologies not just in applications but also APIs and mobile technologies shifted the focus towards web application security. Many organizations still live in the past and focus on network security, not treating web vulnerabilities and misconfigurations with due diligence and, instead, thinking that a VPN and a web application firewall will be enough.
Another problem is that cybersecurity experts often fail to understand user psychology. One clear example of this is how often cybersecurity teams don’t understand the users’ approach to passwords. By forcing users to make passwords that include capital letters, numbers, and special characters they end up with most people using passwords similar to “Password1!”, which are trivial to break and not strong passwords at all. Forcing users to change passwords every month or so also simply makes them change “Password1!” into “Password2!” and reuse their passwords in all systems. Instead, organizations should embrace newer technologies like multi-factor authentication as well as biometrics and hardware keys and promote solutions such as password managers among their users.
The recipe for success?
There’s no simple recipe to maintain the best possible security posture and prevent data breaches in 2023. Your best bet is to hire the right people, make sure you’re not living in the past, and understand that to cover all your bases you will need a lot of different technologies, solutions, and security measures, and it’s not enough to get an expensive package from a large security provider that uses fancy big words in their marketing campaigns.
Maybe advanced solutions weren’t needed 10 years ago and you could rely on anti-virus software and a firewall, but in the world of cybersecurity the situation changes very quickly and you have to have your finger on the pulse. As long as you approach cybersecurity with an open mind and make sure that it never becomes a silo in your organization, you have a better chance than many to avoid a data breach.