The first quarter of every year produces dozens of reports that both reflect on the threats of the previous year and look ahead to understand how to avoid future security breaches. No single report can offer a foolproof approach to data protection, but the findings in the Identity Theft Resource Center (ITRC)’s “2018 End-of-Year Data Breach Report” serve as a stark reminder of why companies should take a layered approach to security.
A notable and somewhat confounding takeaway from the report was that, despite fewer reported data breaches compared to the previous year, 2018 saw a 126 percent uptick in the number of records breached containing personally identifiable information (PII). In many cases, these breaches were the result of the continued use and reuse of passwords and usernames, as well as vulnerabilities caused by third-party vendors.
How can industry leaders turn last year’s surge in stolen records into a record-breaking year of cybersecurity success?
The Perfect Cyber Threat Storm
Unfortunately, a lack of resources in budget and skilled staff remain the top reasons why many organizations lag in their overall security postures. All the while, though, today’s cybercriminals are increasingly monetizing their activities in various creative ways.
Additionally, the report found that consumers are continuing to choose convenience over security, believing that it is the business’ responsibility to protect the data it collects. That’s why only safeguarding networks is not enough, according to Byron Rashed, vice president of marketing at Centripetal Networks.
“It’s a combination of layered security best practice and user cybersecurity education that will greatly mitigate risk,” said Rashed. “From phishing to ransomware, the attackers’ schemes have become more complex and, in many circumstances, extremely damaging. Add into the equation human error and you now have the perfect cyber threat storm.”
A Familiar Weather Pattern of Data Breaches
What some might see as the brewing of a perfect threat storm, others recognize as a familiar threat. Here, the old adage that hindsight is 20/20 rings true, and it gives defenders a slight advantage. Armed with the insight of what went wrong last year, security professionals can be more proactive in building defense in depth. The enormous jump in the number of exposed sensitive records indicates that organizations should strengthen their data privacy efforts. Looking at a breakdown of the types of compromises from the ITRC report, 39 percent of breaches resulted from hacking and 30 percent resulted from unauthorized access.
Understanding attack methods will inform mitigation, but it’s also important to push through fear, uncertainty and doubt to see that things may not be as bleak as they appear. After all, the report did find that the actual number of data breaches fell by 23 percent from 2017. The business industry, which had the largest number of breaches, also had the least number of records exposed.
“Yes, hackers continue to succeed at stealing more records, but really, how many times can they steal the same Social Security number?” said John Gunn, chief marketing officer at OneSpan. “More importantly, the methods for verifying the identity for someone conducting a remote digital transaction have experienced huge gains in the past year with biometric and behavioral techniques enhanced by artificial intelligence (AI).”
While threat actors may be getting more data, banks and merchants are getting better at stopping the fraud these cybercriminals would otherwise commit with that compromised data, according to Gunn. By sharing massive amounts of information, financial institutions can leverage AI, machine learning-based analyses and anti-fraud platforms to enable the detection of new malware threats and previously hidden attacks in real time.
Build a Foundation of Proactive Cybersecurity Measures
There is arguably no way to say that any particular security strategy can completely prevent a cyberattack, but there are many ways companies can prepare for threats so they are better able to detect and respond to cyberattacks when they do happen.
“Organizations need to build a foundation of proactive measures, such as frequent employee training, preventative security controls and staying up to date with industry best practices,” said Andy Wright, regional director, Northern Europe for Check Point.
Because innovation is moving so swiftly, keeping abreast of industry best practices can seem like a full-time job on its own. Added to that is the reality that attackers are constantly evolving their campaigns, often exploiting zero-day vulnerabilities with attacks that have no known signature — meaning they evade the detection of most antivirus tools.
Making everyone within the organization aware of security risks to the company will help create a security-aware culture in which end users are encouraged to report security issues without the fear of negative consequences. “Reporting a human error early on can help identify and prevent intrusions, which will stop the attack earlier in the kill chain,” said Chad Cragle, information security officer at FormAssembly. If employees feel that their jobs are not at risk for reporting human errors, they are more inclined to share useful information with the security team.
Part of training employees includes education about spear phishing and common malware exploits so that workers are familiar with and better able to identify these threats — and also less likely to fall victim to newer, emerging threats. When employees know what to look for, they are more risk-aware and more likely to report errors early on.
In addition, implementing password updates and two-factor or multifactor authentication will help mitigate the risk of unauthorized access to systems and resources.
“This can be supported by using encrypted PCs and devices. These measures should also be extended to third-party vendors to ensure they’ve enabled the proper security protocols that prevent hackers from accessing their network and jumping across,” Wright said.
Fight the Storm With a Layered Approach to Security
Organizations can build defense in depth through a layered approach to security, which includes intrusion prevention and threat detection and response tools, encryption, access controls, and data loss prevention tools. Because security is not only about technology, it’s also important to think about defense as it relates to people and processes. Another critical piece of preventing and blocking threats is having clear policies that are tested and consistently updated, particularly when it comes to risk management and software updates.
If your security program has all these aspects, you’re well on your way to helping make 2019 a record-breaking year of cybersecurity success.