The blockbuster Cost of a Data Breach 2018 study, a joint project of IBM and Ponemon, is a disturbing read.
Here’s a look at some of the highlights from the 15-country study, thanks to IBM and Digital Commerce 360:
If we can agree that any breach is unacceptable, no matter its origin, we can agree on what comes next: anticipating and safeguarding against the types of breaches most likely to occur now, in 2019.
Unfortunately, that’s a pretty long list. These 11 represent just the tip of the iceberg — but the relatively high likelihood of their occurrence should compel you to plan for them without delay.
Ransomware attacks lock victims out of infected systems until they pay a ransom, usually the equivalent of a few hundred dollars in cryptocurrency. For small-business owners, the financial cost of the ransom is a serious issue; for larger companies better able to absorb the hit, data loss is the main concern.
Whether you consider a ransomware attack a “disaster” on the same plane as fire, flood, or power failure at your server farm, the best way to prevent against related data loss is to invest in cloud disaster recovery services — effectively, insurance against your sudden inability to access your company’s most important files.
Phishing is one of the oldest cybersecurity threats in the land, and it’s not going anywhere.
You probably know this already, but just in case: TechTarget defines phishing as “a form of fraud in which an attacker masquerades as a reputable entity or person in email or other communication channels.” The attacker uses the fraudulent communication as a vector to deliver a malicious payload, typically a malware program, or to extract valuable credentials such as passwords or financial information.
A common phishing scam unfolds thusly:
It’s not always so simple. If your network has been compromised by a piece of malware that turns your email suite into a vector of its own — a common occurrence — then you’ll need to take more dramatic precautions (and may incur some costs along the way).
Unlike phishing attacks, which are by definition opportunistic and indiscriminate, spearphishing attacks are informed by specific intelligence or objectives. They target specific individuals, often key executives or process owners (such as information security staff). And they know what they’re after, usually:
Social media remains a Wild West of sorts, and the outlook doesn’t look good. Platforms like Twitter and Facebook have been dealing with spam and trolling for years; now, once low-key media like LinkedIn, Instagram, and Snapchat face challenges of their own.
The problem with social media spam and scams: it’s often difficult to distinguish them from legitimate communications.
For instance, that headhunting message you keep getting from some random LinkedIn connection — does it rise to the level of abuse, or is it a mere annoyance that you can either ignore or politely request to cease? What if it comes every other day, and the sender doesn’t respond to your unsubscribe requests? You get the idea.
Whether social media abuse constitutes a security risk is a related matter. Do you really want your employees to be on the hook for indiscreet responses — or to employ people with the poor judgment to engage in the first place? There are no easy answers here, but you’d better be ready to think harder about these issues in the future.
The best — really, the only — way to mitigate the third-party threat is to hold your vendors to exacting standards. Financial institutions, government contractors, and other highly regulated firms have been doing this for years. It might be time to look seriously at doing the same for your own organization, even if that means parting ways with some longtime partners.
Note the qualifications: “maliciously or unintentionally.” Contrary to popular belief, not all insider threats are malicious. The proverbial insider compromise scenario — disgruntled employee systematically stockpiles sensitive data on their way out the door, probably heading for a competitor — does happen all the time.
But just as common is the “bumbling insider” scenario — the poor sap who leaves his laptop open in an airport lounge, for instance. You’ve got to protect against both, and that starts with recognizing that the employees you care about most very often end up causing you the most grief.
The good news about super-permissions holders: there aren’t many of them, so it shouldn’t be hard to figure out who’s to blame for a breach. The bad news: by the time you find out, it may be too late to do much about it but notify the authorities and hope you can salvage your business.
The best defense here is a “panopticon” approach: a tightly controlled regime where super-permissions holders can expect the same (or greater) degree of surveillance as rank-and-file clearance holders — and, importantly, in which no super-permissions holder can ever be sure when they’re being monitored.
Some are successful because they’re incredibly sophisticated, like the (probable) Israeli-American joint operation that devastated Iran’s nuclear enrichment capabilities in 2010.
Others are successful despite their amateurishness, like the perfunctory phishing campaign that compromised Hillary Clinton advisor John Podesta’s email account and fueled a devastating information warfare campaign against the former presidential candidate.
Countless others are unsuccessful, either because they’re stopped by vigilant white hats or fail to achieve their desired ends.
All demand special precautions and responses, though. Unfortunately, said responses may necessarily include contact with law enforcement, which may in turn increase the risk of news getting out that you’ve been breached before you’re ready.
Stop. Just stop. Upgrade to two-factor authentication (at least) without delay. In the year 2019, there’s simply no excuse for requiring nothing more than an easily guessed (you don’t want to know how many of your employees still use some variation of “password1” as their sole login credential) text password to access internal systems and sensitive external accounts — employee credit cards, anyone?
A two-factor system provides some measure of assurance that any given request for access is genuine; it’s far easier for an attacker to steal just an employee’s password than to take her password and phone.
Unfortunately, it’s also impossible to overstate the security risks associated with third-party APIs. Paul Rubens of eSecurity Planet quotes cybersecurity expert Scott Morrison on APIs: “[They] give hackers valuable clues that could lead to attack vectors they might otherwise overlook.”
In short: APIs make it easier for hackers to compromise your system. Rubens advises using an API security platform to augment commonsense security protocols like data validation, rigorous authentication and authorization, automated security (including malware detectors), and adopting TLS to thwart man-in-the-middle attacks.
In sports, “the best offense is a good defense” arises out of the empirical observation that a well-defended goal (or basket, or home plate, or end zone) is difficult to score on. No matter how good an offense is, it’s simply not going to do as well against a great defense.
Things aren’t so different in the far more complex (and far more dynamic) information technology world. Organizations that invest in effective, multifaceted defense are less likely to experience truly catastrophic breaches. It’s possible — nay, practical — to defend well against all 11 of the threat types outlined in this post.
Unfortunately, it’s not possible to reduce the threat level all the way down to zero. That’s more difficult than your favorite MLB team’s starting lineup combining to pitch 162 shutouts next season — which is to say, it ain’t happening.
There’s much you can do to mitigate the online and offline risks faced by your organization as it goes about its business every day. But you can’t work miracles, and neither can anyone else.
Here’s a look at some of the highlights from the 15-country study, thanks to IBM and Digital Commerce 360:
- In 2018, the average cost of a data breach was $3.86 million, an increase of more than 6% from the previous year
- The average cost of a data breach in the U.S., specifically, was nearly $8 million
- The average cost of a single lost or stolen record was $148, an increase of nearly 5% over the previous year
- Globally, the average size of a data breach was about 25,000 records
- In the U.S., the average data breach size was more than 31,000 records
- Globally, about half of all breaches were of malicious origin (and potentially criminal)
- About a quarter of all breaches were the result of human error or negligence, usually on the part of an employee or contractor
- About a quarter of all breaches resulted from a system glitch (computer error)
If we can agree that any breach is unacceptable, no matter its origin, we can agree on what comes next: anticipating and safeguarding against the types of breaches most likely to occur now, in 2019.
Unfortunately, that’s a pretty long list. These 11 represent just the tip of the iceberg — but the relatively high likelihood of their occurrence should compel you to plan for them without delay.
1. Now You’re In, Now You’re Out: Why Ransomware Is So Devastating
Ransomware is a disruptive — and, frankly, insulting — form of malware that can devastate your business processes and (effectively) erase databases you’ve taken months or years to build.Ransomware attacks lock victims out of infected systems until they pay a ransom, usually the equivalent of a few hundred dollars in cryptocurrency. For small-business owners, the financial cost of the ransom is a serious issue; for larger companies better able to absorb the hit, data loss is the main concern.
Whether you consider a ransomware attack a “disaster” on the same plane as fire, flood, or power failure at your server farm, the best way to prevent against related data loss is to invest in cloud disaster recovery services — effectively, insurance against your sudden inability to access your company’s most important files.
2. Phishing Is Always Going to Be a Thing
Phishing is one of the oldest cybersecurity threats in the land, and it’s not going anywhere.
You probably know this already, but just in case: TechTarget defines phishing as “a form of fraud in which an attacker masquerades as a reputable entity or person in email or other communication channels.” The attacker uses the fraudulent communication as a vector to deliver a malicious payload, typically a malware program, or to extract valuable credentials such as passwords or financial information.
A common phishing scam unfolds thusly:
- You receive an email purporting to be from a credible sender, like a bank or supervisor
- The email asks you to perform a discrete task or set of tasks, such as downloading an attachment or clicking on a link and entering your password
- Your action triggers the delivery of the malicious payload or theft of your credentials
It’s not always so simple. If your network has been compromised by a piece of malware that turns your email suite into a vector of its own — a common occurrence — then you’ll need to take more dramatic precautions (and may incur some costs along the way).
3. Spearphishing Is Getting Even More Sophisticated (And You Might Not Know When You’ve Been Victimized)
Spearphishing is a more sophisticated form of phishing, and its perpetrators are only getting better at what they do.Unlike phishing attacks, which are by definition opportunistic and indiscriminate, spearphishing attacks are informed by specific intelligence or objectives. They target specific individuals, often key executives or process owners (such as information security staff). And they know what they’re after, usually:
- Extremely valuable authentication credentials or permissions
- Access to financial accounts
- Hard currency or cryptocurrency (increasingly, spearphishing attacks involve compelling requests for funds transfers)
- Compromising information about the target (for blackmail or some other objective)
4. Social Media Scams and the Ever-Expanding Gray Area
Social media remains a Wild West of sorts, and the outlook doesn’t look good. Platforms like Twitter and Facebook have been dealing with spam and trolling for years; now, once low-key media like LinkedIn, Instagram, and Snapchat face challenges of their own.
The problem with social media spam and scams: it’s often difficult to distinguish them from legitimate communications.
For instance, that headhunting message you keep getting from some random LinkedIn connection — does it rise to the level of abuse, or is it a mere annoyance that you can either ignore or politely request to cease? What if it comes every other day, and the sender doesn’t respond to your unsubscribe requests? You get the idea.
Whether social media abuse constitutes a security risk is a related matter. Do you really want your employees to be on the hook for indiscreet responses — or to employ people with the poor judgment to engage in the first place? There are no easy answers here, but you’d better be ready to think harder about these issues in the future.
5. Third-party Vendors Require Constant Vigilance
Hardly a month goes by without news of a major data breach traced to insecure third-party vendors. Such events were even more common earlier in the decade, before publicly traded firms began clamping down hard on lackadaisical vendors.The best — really, the only — way to mitigate the third-party threat is to hold your vendors to exacting standards. Financial institutions, government contractors, and other highly regulated firms have been doing this for years. It might be time to look seriously at doing the same for your own organization, even if that means parting ways with some longtime partners.
6. It’s Never the Ones You Expect: Insider Credential Theft and You
Whole books have been written about insider threats, which CERT defines as “the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”Note the qualifications: “maliciously or unintentionally.” Contrary to popular belief, not all insider threats are malicious. The proverbial insider compromise scenario — disgruntled employee systematically stockpiles sensitive data on their way out the door, probably heading for a competitor — does happen all the time.
But just as common is the “bumbling insider” scenario — the poor sap who leaves his laptop open in an airport lounge, for instance. You’ve got to protect against both, and that starts with recognizing that the employees you care about most very often end up causing you the most grief.
7. What About Super-Permissions Holders? The Stealthiest Insider Threat of All
One type of insider threat deserves special mention: the “super-permission” holder, usually a senior information technology person charged with keeping your system safe. This person holds the metaphorical “keys to the kingdom,” and with them the power to access your organization’s most sensitive (and closely guarded) data and secrets.The good news about super-permissions holders: there aren’t many of them, so it shouldn’t be hard to figure out who’s to blame for a breach. The bad news: by the time you find out, it may be too late to do much about it but notify the authorities and hope you can salvage your business.
The best defense here is a “panopticon” approach: a tightly controlled regime where super-permissions holders can expect the same (or greater) degree of surveillance as rank-and-file clearance holders — and, importantly, in which no super-permissions holder can ever be sure when they’re being monitored.
8. Zero-day Exploits: A Never-ending Arms Race
Zero-day exploits are vulnerabilities in operating systems and other software. What makes them so dangerous is their stealthiness — by definition, they’re not known to the general public, increasing the difficulty of tracing the provenance of attacks that exploit them. There’s no single defense against zero-day exploits, but a rigorously enforced combination of:- Applying patches as soon as they’re released
- Maintaining strict firewall settings
- Using an up-to-date antivirus system with host intrusion protection
- Getting rid of (or, better, declining to install in the first place) software that’s not necessary for your core business processes may reduce your vulnerability.
9. Nation-state Threats: All of the Above, and Also a Beast of Their Own
Nation-state threats come in all flavors.Some are successful because they’re incredibly sophisticated, like the (probable) Israeli-American joint operation that devastated Iran’s nuclear enrichment capabilities in 2010.
Others are successful despite their amateurishness, like the perfunctory phishing campaign that compromised Hillary Clinton advisor John Podesta’s email account and fueled a devastating information warfare campaign against the former presidential candidate.
Countless others are unsuccessful, either because they’re stopped by vigilant white hats or fail to achieve their desired ends.
All demand special precautions and responses, though. Unfortunately, said responses may necessarily include contact with law enforcement, which may in turn increase the risk of news getting out that you’ve been breached before you’re ready.
10. Single Factor, Big Risk
Are you still running on single-factor authentication?Stop. Just stop. Upgrade to two-factor authentication (at least) without delay. In the year 2019, there’s simply no excuse for requiring nothing more than an easily guessed (you don’t want to know how many of your employees still use some variation of “password1” as their sole login credential) text password to access internal systems and sensitive external accounts — employee credit cards, anyone?
A two-factor system provides some measure of assurance that any given request for access is genuine; it’s far easier for an attacker to steal just an employee’s password than to take her password and phone.
11. APIs Can Turbocharge Your Business — Or Cripple It
APIs are moneymaking machines for a new generation of digital publishers. They’re integral to business models that, at this point, support hundreds of thousands of jobs. It’s no understatement to say that the Internet simply wouldn’t be what it is today without the incalculable toil of the third-party API cloud.Unfortunately, it’s also impossible to overstate the security risks associated with third-party APIs. Paul Rubens of eSecurity Planet quotes cybersecurity expert Scott Morrison on APIs: “[They] give hackers valuable clues that could lead to attack vectors they might otherwise overlook.”
In short: APIs make it easier for hackers to compromise your system. Rubens advises using an API security platform to augment commonsense security protocols like data validation, rigorous authentication and authorization, automated security (including malware detectors), and adopting TLS to thwart man-in-the-middle attacks.
The Best Offense Is a Good Defense
You’ve probably heard it said that the best offense is a good defense.In sports, “the best offense is a good defense” arises out of the empirical observation that a well-defended goal (or basket, or home plate, or end zone) is difficult to score on. No matter how good an offense is, it’s simply not going to do as well against a great defense.
Things aren’t so different in the far more complex (and far more dynamic) information technology world. Organizations that invest in effective, multifaceted defense are less likely to experience truly catastrophic breaches. It’s possible — nay, practical — to defend well against all 11 of the threat types outlined in this post.
Unfortunately, it’s not possible to reduce the threat level all the way down to zero. That’s more difficult than your favorite MLB team’s starting lineup combining to pitch 162 shutouts next season — which is to say, it ain’t happening.
There’s much you can do to mitigate the online and offline risks faced by your organization as it goes about its business every day. But you can’t work miracles, and neither can anyone else.