Last time I discussed the ‘Did they really do that?!’ kind of data breach, the one where you can’t quite see how an organization could manage to have that much data exposed that openly for that long. We all laugh, but as the news clearly demonstrates, it could happen to any company of any size with seemingly any budget.
Malicious actors, however, aren’t just sitting around waiting for the latest instance of an accidental data splurge. They’re busy people like you and me; grafters who aren’t afraid to roll their sleeves up and get stuck into a hard day’s hacking, scamming, infiltrating and stealing. OK, I don’t know that that’s true for all of them all the time, but we should probably assume that it is.
I’m going to look at some of the ways in which a breach can happen that definitely won’t be your fault. Well… not entirely anyway. There is always more you can do to protect your data.
Social Engineering
Surely falling for a phishing email has got to be the user’s fault, right? In most cases and in normal times, probably yes. Right now however, things are not normal. Employees are distracted and their personal BS filters might not be working 100%.
Not every spearphishing email starts with “Greeting from your IT department! Urgently click here and enter your password…”
The bad guys have been exploring new ways of extracting login credentials and impersonating employees. You meanwhile have been working hard just to keep the lights on.
Consider this example in Infosecurity magazine. Attackers who were able to access a G-Suite email account attached malware to one of the draft emails in the user’s account and sent it on. No need to try to match the language and tone of the user when they’d done the work for them.
Insider threats
Incompetent or careless employees are one thing; think users accidentally CC’ing the entire client list, or leaving their laptop in a coffee shop logged in while they go the bathroom. Thanks guys!
Malicious insiders are another. Whether for personal financial gain, to pay off debts, under threat of blackmail or as a foreign state actor, people inside the company have much more access to data and are inherently trusted. No one wants to think they’ve hired the bad apple.
According to research conducted by the Ponemon Institute, insider-caused cybersecurity incidents rose by 47% since 2018, and the average cost by 31% to $11.45 million. No small beans.
Physical Attack
If you have physical infrastructure then you are vulnerable to a physical attack, it’s as simple as that. And you may well not be taking as rigorous security precautions as a dedicated cloud storage provider.
Improving physical security is more than taking extra steps to protect the file server. For a criminal, installing a keylogger on the right keyboard might be even more useful and a lot less effort. A case was brought against someone just last year for doing this.
Hacking
Yes, actual good old-fashioned hacking. So much attention is focussed on phishing, business email compromise, ransomware, coronavirus scams etc, because they’re the kind of things that the man in the street can understand.
SQL injection, cross-site scripting, session hijacking and all the other ‘traditional’ hacking techniques still exist and are certainly not going away. In fact according to the Verizon Data Breach Investigations Report 2020, 45% of breaches featured ‘hacking’ of some kind.
How can you protect against the myriad of threats?
Just to pluck 5 recommendations out of the air, you could:
But there’s so much more.
Protecting your data means knowing what data you have, where it is and how it’s already protected; who is authorised to access it and how they are authenticated. It means understanding the threat landscape, how it affects your individual organisation and your industry as a whole. And it means using the full range of tools and techniques to mitigate those threats and test your readiness.
The Data Breach Protection Plan offered by TBG Security can help. It includes an annual penetration test and security assessment, quarterly external scanning and on-demand consulting. It’s everything you need to evaluate your current situation and take the necessary and ongoing action to lower risk and reduce your exposure to cyber threats.