Data breaches and the security slip-ups that cause them
In 2019, businesses spent approximately $103 billion on security-related hardware, software, and services, according to IDC—a figure it expects to reach nearly $134 billion by 2022. Still, the data breaches keep coming.
And, it turns out, they keep coming for many of the same reasons. Enterprises regularly slip on the basics, which costs them big when it comes to data breaches, regulatory fines, forensics investigations, downtime, and irritated customers.
So that enterprises can better avoid some of that pain, we have gathered seven of the most common organizational security slip-ups and provide some advice on how to avoid them.
Poor management of access credentials
According to the 2020 Verizon Data Breach Investigations Report (DBIR), the use of stolen credentials (usernames and passwords) is the top hacking technique in data breach incidents.
This isn't a new phenomenon. Using stolen credentials has consistently ranked among the top ways enterprises are breached. Why is this? It comes down to lack of proper identity controls. Organizations don't do an effective enough job ensuring user identities are appropriately managed. For example, when users change their job roles, credentials for the applications they no longer use may not be correctly deactivated. And even when staffers leave employment, such accounts can remain active for weeks, months, and sometimes years.
Further, enterprises are often their own worst enemy when it comes to credential attacks. It's still too common for teams to hard-code and embed passwords and encryption keys within devices, applications, and even software repositories. Until these habits stop, these types of attacks are going to continue.
Mitigation: Such slip-ups can be better avoided with effective identity management governance. Make sure staff are using strong passwords; monitor logins for anomalies, such as multiple failed login attempts; and make sure credentials aren't hard-coded into applications and devices. When staff or contractors change roles, make sure those login credentials are terminated.
One helpful technique is role-based access control. Under RBAC, you don't decide on permissions and authorizations for each user individually. Instead, you define roles in the organization and grant permissions and authorizations to users in those roles. A user may have more than one role. RBAC enforces policy by design.
To ensure effective identity management processes remain in place, it's essential that organizations consistently enforce identity management policies and closely monitor privileged account security policies.
Finally, whenever possible, enforce multifactor authentication. This could be hardware tokens, one-time password tokens, or SMS-based authentication. According to a study by Google, two-factor authentication increases security and blocks 100 percent of automated attacks.
Little or minimal security awareness training
Many successful attacks require some type of action on behalf of the user. Verizon's DBIR found phishing to be the top social attack vector. And in its latest data breach report, law firm BakerHostetler found that phishing remains the top cause of incidents among its clients.
These attacks often employ forms of social engineering, such as tricking users into clicking on a link or opening an attachment, or making emails appear as if they were sent from co-workers or other trusted associates.
Increasingly, these fraudulent emails are difficult to identify. And when users are tricked and act upon them, such as clicking a link or an attachment, they can unwittingly infect their endpoints with malware, fund a fraudster (such as with business email compromise attacks), or expose their login credentials to some service or application. If enterprises are going to reduce the number of their data breaches, they will have to get a better handle on phishing attacks.
Mitigation: Effective security awareness training is the answer. By regularly teaching users to be more conscious of the risks, they will be more careful about which links and attachments they click on. There are services you can hire to send test phishing emails to your users to measure their skills at identifying the fakes.
Security awareness training can't be treated as a once-a-year event either. To keep awareness high, such training should be ongoing. Healthy programs are relevant to current events, focus on areas of risk to the organization, and help staff learn about those areas and improve over time.
Relying on silver-bullet security 'solutions'
Organizations commonly purchase and deploy security technologies with the expectation that they will solve their problems. Typically, these products don't solve anything, but instead, at their best, they help businesses better manage or control some technical security risk. Such point solutions include anti-malware, security information and event management systems, endpoint detection and response systems, vulnerability managers, and identity management platforms. When deploying these technologies and other security toolsets, enterprises can't expect the tools themselves will reduce data breach risk. But they often act as if these tools do exactly that.
Consider this phenomenon with application security tools. Commonly, organizations purchase or subscribe to an application security assessment tool and conduct their initial assessment. Typically, they find lots of flaws in their applications, but they didn't plan much further than running the code assessment. And they didn't plan for the time or developer availability to remediate the defects they identified.
What happens? Applications get deployed with security flaws.
Mitigation: It's critical that when deploying security tools, especially those involving ongoing maintenance and processes, organizations plan for the proper staffing and training for their continued use. They have to look beyond just funding the initial deployment of the software and initiative to ensure appropriate ongoing security mitigations, as well as the management and maintenance of the tools.
No business continuity or disaster recovery planning
Not all attacks involve data being stolen clandestinely or exposed on the Dark Web. Many other types of attacks, such as denial of service and ransomware, disrupt business operations. In addition to data security risks, natural disasters such as fires, floods, and tornados—or civil unrest and acts of terrorism or war—can also disrupt operations.
Consider ransomware. According to the Verizon DBIR, ransomware is the second most prevalent malware involved in the incidents it tracks, following only downloaders. And in its incident response report, BakerHostetler found ransomware attacks to be up and affecting many industries, including manufacturing, professional services, healthcare, education, and government.
To gain entry, ransomware attacks typically begin as phishing attacks and exploit misconfigured, poorly secured, and unpatched systems. Once they are in, attackers encrypt systems and data and demand payment in exchange for a key to unlock the data. Of course, if there is a backup at the ready, no such payment would be necessary. Simply recover and move forward. The same is true when it comes to recovering systems and data after natural disasters and other types of events.
Mitigations: Because so many ransomware attacks begin as phishing attacks, security awareness training will help avoid many ransomware attacks. But resiliency is the key when it comes to disruptive risks. Make sure backups of critical systems and data are standard practice, use a backup that provides for multiple saved iterations, and test backup systems for effectiveness. The best way to recover from a ransomware attack without paying a ransom (and praying the key works) or to move forward from some destructive data attack is to be able to restore your data immediately.
Having an incident response plan is essential to resiliency as well. That includes the ability to not only quickly recover affected systems, but also investigate the extent of the breach, rapidly mitigate the risk to other systems, identify data accessed, and report the incident and work with law enforcement when necessary.
Neglecting third-party risks
Another common cause of data breaches are third parties. Suppliers manage customer systems and data and are a considerable risk vector for operational and regulatory compliance, data security, geopolitical, and other risks. And data breaches at third-party suppliers are just as devastating as data breaches in an organization's own systems.
According to a study by Ponemon Institute, "Data Risk in the Third-Party Ecosystem," of 1,000 chief information security officers and security professionals surveyed in the U.S. and U.K., 59 percent of survey respondents in the U.K. said they had experienced a third-party data breach, while 61 percent of those in the U.S. reported the same. Target's disastrous 2013 breach was accomplished through the breach of a third party.
Mitigation: Organizations need to identify their suppliers and prioritize them based on their risk, should a data breach or other incident occur to the supplier. They should also put into place an ongoing process to manage third-party and supplier risk.
Such processes include assessing vendors for data security risks when they are being onboarded. This not only ensure that suppliers have sound security practices, but that these practices are contractually enforced and procedures for handling a data breach are in place should one occur. And capabilities should be assessed as part of the ordinary course of business.
Poor system hygiene and misconfigurations
One of the most common and historically persistent slip-ups are system misconfigurations. These include everything from leaving unnecessary services on servers to leaving workloads in the cloud publicly accessible.
In recent years, countless records have been exposed due to misconfigured services such as Amazon Simple Storage Service (S3) instances. In a survey conducted by security vendor Tripwire, of 150 attendees at Black Hat USA 2019, 84 percent said it was difficult for their organizations to maintain security configurations across cloud services. Of those, 17 percent said it was very difficult.
As enterprises continue to invest in their digital transformations and rapidly increase cloud deployments—as well as maintain critical on-premises systems—enterprise technology will become more complex to manage. Gartner expects the public cloud management and security market to reach nearly $18 billion by 2022.
Mitigation: As challenging as it may be, organizations must make sure their ability to monitor and manage their environments keeps up with their speed of deployment. This includes areas such as identity management, monitoring, logging, and incident response. Guidance on how to do so can be found from cloud service providers and independent organizations such as the Center for Internet Security, with its CIS Controls and Benchmarks.
Missing the balance between speed and security
It's always been common for security to be an afterthought in organizations. Whether it's designing and deploying new systems, developing new applications, or adding new features to existing applications—security is often brought in late. This can slow down deployments and needlessly make deployments more costly.
For instance, consider an application that is ready to be deployed. Security is brought in late to review, and the security team finds business logic errors that need to be remedied. Fixing complex flaws can slow production and delay product releases. This is one of the reasons why security flaws found late in production are typically more costly to fix.
Today, such security challenges are exacerbated as enterprises move to further digitally transform their business processes, software development, and cloud deployments—the risks will increase as security teams fall further behind.
Mitigation: Organizations need to take steps to ensure security processes are built into their development and deployment processes. Security teams need to be brought into technical design and decision-making early so they can ensure that new systems and applications are designed with security in mind. This will help reduce the risk of data breaches while preventing needless interruptions in digital transformation efforts.
No enterprise is ever going to be perfectly secured. But by taking steps to eliminate some of the more common security slip-ups, organizations can indeed become much more resilient to attack and make much more effective use of the billions of dollars they will spend on securing their businesses.
Common security slip-ups: Lessons for leaders
Ensure that your company has a strong and ongoing program of security awareness training.
Include security in planning at the earliest stages of design and development.
Make sure partners that have any access to your networks are as secure as you expect your own organization to be.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.