According to Verizon’s 2021 Data Breach Investigation Report, the median data breach costs companies over $21,000 with some numbering in the hundreds of thousands. The impact of data breaches has recently been further highlighted by recent high-profile credential data breaches.
However, the literature suggests that businesses are struggling to keep up with hackers. As many as 80% of breaches are detected by 3rd-parties. This shows the potential benefit of working with a trusted security-focused body to help fill the gaps in your security ecosystem.
Latest credential data breach incidents
Data breaches occur so frequently that it’s hard to keep up with the headlines. However, two recent incidents stand out for their sheer scale plus the fact that they affected two of the most popular social networks today.
On 3 April 2021, it became known that over 533 million Facebook accounts were leaked on a low-level hacking forum. The leaked information went as far as to reveal users’ phone numbers, which could be used for social engineering or to steal other account credentials.
Not even a week later, it was revealed that LinkedIn was also the subject of a credential breach in which over 500 million accounts were being put up for sale. 2 million records were leaked simply as proof.
That means that in just two incidents, uncovered in the space of 1 week, over 1 billion user credentials were leaked. That alone shows the scale of the issue we are all dealing with, as businesses, consumers, and security professionals.
How to prevent your data being compromised
Phishing Education and Training
Surprisingly, good old phishing is still the top of threat actions, increasing to 36% in the wake of the COVID-19 pandemic. This is on trend with social engineering remaining one of the most used avenues to affect a data breach.
Although it might seem set in stone, attackers are still frequently updating and refining phishing techniques. This makes it harder for both individuals and security tools to detect phishing attempts and distinguish them from legitimate emails/forms of contact.
Using paradigms like the Phish Scale will help ensure that you keep your phishing training up-to-date and relevant. You must also stay updated with the latest techniques of attackers and ways to detect phishing attempts.
Harden Credentials and Implement MFA
According to the same Verizon report, stealing credentials is the second largest technique used in data breaches. In fact, compromised credentials played some role in as many as 61% of all data breaches.
While strong password practices is a start, it’s simply not enough to stem the tide. Multi-factor authentication, on the other hand, is an extremely effective method to combat credential abuse. In fact, Alex Weiner of Microsoft has come out to say that MFA can make accounts using their OS 99.9% more secure.
MFA is especially important in remote/hybrid working environments where users may use unsecured devices/networks to access work-related platforms. However, MFA is not bulletproof in itself, and MFA best practices should be maintained for best results.
Implementing SSO (single-sign on) can also help by discouraging bad practices, such as weak passwords and credential sharing.
Tighten Up Your Code
Miscellaneous errors were also highlighted as the third most prominent pattern found in data breaches. Attackers are continuously probing businesses for weaknesses or entry points into their systems or networks. Even a relatively new error introduced by an update or code change can quickly be identified and exploited.
Due to the complexity of programming languages and software, the potential errors are too numerous to mention. Often, they are not even associated with typically exploits, such as SQL injection or memory dumps. For example, one of India’s largest HIPAA breaches involved a programming error where duplicate documents were often sent to wrong users.
Businesses need to have rigorous QA and testing procedures in place for not only their own existing software but for third-party software as well and including any updates or code changes.
Conclusion
As you can see, human weaknesses still play a major role in the prevalence of data breaches. Through phishing attempts, credential hacking, etc. 85% of data breaches involve some form of human error. That suggests proper training and education and instilling a sense of responsibility to all your stakeholders is critical to managing the risk of a data breach.
Sources:
533 million Facebook users’ phone numbers and personal data have been leaked online
Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof