The first quarter of every year produces dozens of reports that both reflect on the threats of the previous year and look ahead to understand how to avoid future security breaches. No single report can offer a foolproof approach to data protection, but the findings in the Identity Theft Resource Center (ITRC)’s “2018 End-of-Year Data Breach Report” serve as a stark reminder of why companies should take a layered approach to security.

A notable and somewhat confounding takeaway from the report was that, despite fewer reported data breaches compared to the previous year, 2018 saw a 126 percent uptick in the number of records breached containing personally identifiable information (PII). In many cases, these breaches were the result of the continued use and reuse of passwords and usernames, as well as vulnerabilities caused by third-party vendors.

How can industry leaders turn last year’s surge in stolen records into a record-breaking year of cybersecurity success?

The Perfect Cyber Threat Storm

Unfortunately, a lack of resources in budget and skilled staff remain the top reasons why many organizations lag in their overall security postures. All the while, though, today’s cybercriminals are increasingly monetizing their activities in various creative ways.

Additionally, the report found that consumers are continuing to choose convenience over security, believing that it is the business’ responsibility to protect the data it collects. That’s why only safeguarding networks is not enough, according to Byron Rashed, vice president of marketing at Centripetal Networks.

“It’s a combination of layered security best practice and user cybersecurity education that will greatly mitigate risk,” said Rashed. “From phishing to ransomware, the attackers’ schemes have become more complex and, in many circumstances, extremely damaging. Add into the equation human error and you now have the perfect cyber threat storm.”

A Familiar Weather Pattern of Data Breaches

What some might see as the brewing of a perfect threat storm, others recognize as a familiar threat. Here, the old adage that hindsight is 20/20 rings true, and it gives defenders a slight advantage. Armed with the insight of what went wrong last year, security professionals can be more proactive in building defense in depth. The enormous jump in the number of exposed sensitive records indicates that organizations should strengthen their data privacy efforts. Looking at a breakdown of the types of compromises from the ITRC report, 39 percent of breaches resulted from hacking and 30 percent resulted from unauthorized access.

Understanding attack methods will inform mitigation, but it’s also important to push through fear, uncertainty and doubt to see that things may not be as bleak as they appear. After all, the report did find that the actual number of data breaches fell by 23 percent from 2017. The business industry, which had the largest number of breaches, also had the least number of records exposed.

“Yes, hackers continue to succeed at stealing more records, but really, how many times can they steal the same Social Security number?” said John Gunn, chief marketing officer at OneSpan. “More importantly, the methods for verifying the identity for someone conducting a remote digital transaction have experienced huge gains in the past year with biometric and behavioral techniques enhanced by artificial intelligence (AI).”

While threat actors may be getting more data, banks and merchants are getting better at stopping the fraud these cybercriminals would otherwise commit with that compromised data, according to Gunn. By sharing massive amounts of information, financial institutions can leverage AI, machine learning-based analyses and anti-fraud platforms to enable the detection of new malware threats and previously hidden attacks in real time.

Build a Foundation of Proactive Cybersecurity Measures

There is arguably no way to say that any particular security strategy can completely prevent a cyberattack, but there are many ways companies can prepare for threats so they are better able to detect and respond to cyberattacks when they do happen.

“Organizations need to build a foundation of proactive measures, such as frequent employee training, preventative security controls and staying up to date with industry best practices,” said Andy Wright, regional director, Northern Europe for Check Point.

Because innovation is moving so swiftly, keeping abreast of industry best practices can seem like a full-time job on its own. Added to that is the reality that attackers are constantly evolving their campaigns, often exploiting zero-day vulnerabilities with attacks that have no known signature — meaning they evade the detection of most antivirus tools.

Making everyone within the organization aware of security risks to the company will help create a security-aware culture in which end users are encouraged to report security issues without the fear of negative consequences. “Reporting a human error early on can help identify and prevent intrusions, which will stop the attack earlier in the kill chain,” said Chad Cragle, information security officer at FormAssembly. If employees feel that their jobs are not at risk for reporting human errors, they are more inclined to share useful information with the security team.

Part of training employees includes education about spear phishing and common malware exploits so that workers are familiar with and better able to identify these threats — and also less likely to fall victim to newer, emerging threats. When employees know what to look for, they are more risk-aware and more likely to report errors early on.

In addition, implementing password updates and two-factor or multifactor authentication will help mitigate the risk of unauthorized access to systems and resources.

“This can be supported by using encrypted PCs and devices. These measures should also be extended to third-party vendors to ensure they’ve enabled the proper security protocols that prevent hackers from accessing their network and jumping across,” Wright said.

Fight the Storm With a Layered Approach to Security

Organizations can build defense in depth through a layered approach to security, which includes intrusion prevention and threat detection and response tools, encryption, access controls, and data loss prevention tools. Because security is not only about technology, it’s also important to think about defense as it relates to people and processes. Another critical piece of preventing and blocking threats is having clear policies that are tested and consistently updated, particularly when it comes to risk management and software updates.

If your security program has all these aspects, you’re well on your way to helping make 2019 a record-breaking year of cybersecurity success.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.Understanding Attack Surface ManagementHere are some key…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor for…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…