Data breaches can cause a loss of revenue and market value as a result of diminished customer trust and reputational damage.
There were over 3,200 data compromises in the United States in 2023, with 353 million victims, including those affected multiple times, according to the US Identity Theft Resource Center (ITRC). Each one of those individuals might be a customer that decides to take their business elsewhere as a result. Or an employee that reconsiders their position with your organization. That should be reason enough to prioritize data security efforts.
Yet despite global enterprises spending tens of billions of dollars annually on cybersecurity, data breaches continue to proliferate. Why is it proving so challenging to mitigate these cyber-enabled risks? The scale and variety of attacks, threat actor resourcefulness and the size of the typical corporate attack surface hold some of the answers.
Why data means business
The volume of data created globally has exploded in recent years thanks to digital transformation. According to one estimate, 147 zettabytes were created, captured, copied and/or consumed every day in 2024. This data holds the key to unlocking vital customer insight, enhancing operational efficiency and ultimately making better business decisions. It also contains trade secrets, sensitive IP and personal/financial information on customers and employers, which is highly monetizable on the cybercrime underground. That puts it at risk from both financially motivated cybercriminals and even state-aligned actors.
According to the ITRC, there were over 3,200 data compromises in 2023 in the US. These can cause significant financial and reputational damage including:
Costly class action suits
Brand damage
Lost customers
Share price slumps
Costs associated with IT forensics and recovery
Regulatory fines
Breach notification costs
Lost productivity
Operational outages
What are the most serious data threats?
Not all breaches are deliberate. More than two-thirds (68%) analyzed by Verizon last year stemmed from “a non-malicious human action” such as an employee falling victim to a social engineering attack, or accidentally emailing sensitive information to the wrong recipient. Human error can also include misconfiguring critical IT systems such as cloud accounts. It might be something as simple as failing to add a strong, unique password.
However, you must also be aware of the threat from malicious insiders. These tend to be harder to spot, if the person in question is deliberately hiding evidence of their wrongdoing, while at the same time able to utilize inside knowledge of business processes and tooling. It’s claimed that the cost of such incidents is soaring.
Emboldened nation state actors also make a persistent and sophisticated adversary. They may only account for around 7% of breaches (according to Verizon), but have a high chance of success if your organization is unfortunate enough to be a target, or gets caught in the crossfire.
So what are the biggest threat vectors facing your organization?
Phishing and other social engineering efforts remain a top route to compromise. Why? Because human beings remain fallible creatures who often fall for the stories they’re told by fraudsters. If these efforts are targeted at specific individuals in spear-phishing attacks, they have an even better chance of landing. Cybercriminals can scrape information to tailor these messages from social media; especially LinkedIn.
Supply chains can be hijacked in various ways. Cybercriminals can use cloud or managed service providers (CSPs/MSPs) as a stepping stone into multiple client organizations. Or they could implant malware into open source components and wait until they’re downloaded. In the most sophisticated attacks, they might breach a software developer and install malware inside software updates, as per the SolarWinds campaign.
Vulnerability exploitation remains a top-three method of kicking off ransomware attacks. According to Verizon, the volume of vulnerability exploits associated with data breach incidents this year grew 180% over 2023. The Five Eyes intelligence group has warned that the number of zero-day vulnerabilities is also growing, which should be a cause for even greater concern as these are flaws for which there are no software patches.
Compromised credentials are usually the result of poor password security/management, successful phishing attacks, large-scale data breaches or password brute-force attacks. They offer one of the most effective ways to bypass your cyber-defenses, without setting off any alarms. Verizon claims that the use of stolen credentials has appeared in almost one-third (31%) of all breaches over the past decade.
BYOD continues to provide opportunities for threat actors, as corporate employees often forget to download anti-malware to their personal devices. If they get compromised, hackers may be able to obtain logins for corporate cloud accounts, access work emails and much more.
Living off the land is a commonly used set of post-exploitation techniques for lateral movement and exfiltration, which enable an adversary to stay hidden in plain sight. By using legitimate tools like Cobalt Strike, PsExec and Mimikatz, they can perform a range of functions in a way that’s difficult to spot.
We should also mention here the potential in AI-powered tools to help threat actors. The UK’s National Cyber Security Centre (NCSC) claimed in January 2024 that the technology will “almost certainly increase the volume and heighten the impact of cyber-attacks over the next two years.” This is especially true of reconnaissance and social engineering.
Hitting back
Tackling the challenge of data breaches means taking action on all fronts, to reduce risk across an attack surface which continues to grow with each digital transformation investment, unpatched remote working endpoint, and stolen credential. Here are a few ideas for starters:
Understand the extent of your attack surface by continuously mapping out all of your IT assets
Implement risk-based patching and vulnerability management programs, including periodic penetration testing
Ensure all corporate machines and devices are protected by multilayered security software
Install data loss prevention tooling
Use mobile device management (MDM) to keep an eye on all devices, and ensure they have anti-malware installed from a reputable vendor
Enforce strong password policies and multifactor authentication (MFA) everywhere
Educate staff on how to spot phishing messages and other critical areas of security awareness
Create an incident response plan and stress test it periodically
Encrypt data in transit and at rest
Audit third-party suppliers and partners
Run network/endpoint monitoring to get an early warning of any intrusions
Ensure cloud systems are correctly configured
As we’ll soon celebrate Data Privacy/Data Protection Day, it’s clear that keeping our most sensitive data under lock and key requires vigilance from both individuals and the businesses they trust to look after their information. The regulatory impact of failing to do so could be severe, as could the loss of customer trust. But the opposite is also true. Prove your business is a responsible custodian of this data, and it could prove to be a powerful competitive differentiator.
Comments