Originally published in Information Security Buzz
A survey of 500 IT professionals by Exonar found that 94% of respondents have experienced a data breach, and 79% were worried their organisation could be next. In terms of what is causing the breaches, 40% of respondents to the Exonar survey said accidental employee incidents were to blame, compared to 21% who said it is external attackers.
There are a few interesting parts to this document: the first being the volume of incidents that fall into the cyber security incidents category, this is 28.5% of all incidents. Phishing and hacking represented only 4% of the breach types in terms of notifications received in the Irish DPC report from June (a two-year report compared to the ICO quarterly report, Q12020), while the ICO represent 18% total incidents affiliated with unauthorised access or phishing (both categories represent 66% of total cyber security incidents). This seems like a large difference, albeit the categories are slightly different between the two reports.
The main takeaway from these numbers are that most instances of exposure have come from non-cyber security incidents and ultimately seem to stem from how to correctly handle peoples data.
Much like the Irish report, I would be concerned about the amount of cases that have a purported root cause of human error. If human error is the root cause due to non-compliance with data handling procedures, then it is likely that this can be improved by the introduction of more robust processes or auditing on data handling.
Richard Bejtlich, Principal security strategist, Corelight
A big part of this is probably because most organizations know they don’t have the best security tools covering all potential entry points.
1. This is likely a result of organisations deploying security to just check off boxes on their to-do lists. Now, attackers are far more sophisticated and exploit any potential vulnerability they can find.
2. One of the biggest issues is endpoints such as phones and tablets. Because mobile devices don’t connect to an organization’s perimeter network, IT teams have no way of securing those devices and preventing a data breach that starts on mobile. The worry is more that people fear insiders being taken advantage of by outsiders without knowing it.
Threat actors go after people where they’re most vulnerable, and these days that’s on mobile devices.
1. Mobile phishing has grown to be one of the biggest concerns for IT teams because of how quickly an attacker can gain access to an employee’s corporate login credentials.
2. SMS, iMessage, third party messaging apps and social media platforms are where attackers socially engineer interactions with employees and convince them to click a link or visit a site that grabs their work login data.
The recent security incident at Twitter shows how easily an attacker can execute a successful spear phishing attack to gain access to a company’s corporate infrastructure.
Hank Schless, Senior Manager, Security Solutions , Lookout
Many IT professionals tend to be negative because they face an overwhelming number of threats and challenges, and it can be daunting. Our jobs are difficult. One way to interpret this statistic is from a place of worry or fear, but I view it from a perspective of being realistic. This statistic could be considered a positive because it means that many organizations realize they are likely to be breached and they need to prepare. No organization is unhackable, so it’s important to realize this and try to anticipate how breaches could occur.
Another important aspect of considering a data breach is that breaches are not all created equal. Security professionals should shift their perspective to focus on trying to both prevent breaches as well as remediate them as soon as possible. There is a big difference between a breach where a user clicked on an attachment and macros were blocked versus a months-long breach where sensitive data was exfiltrated. Creating a defense-in-depth strategy can help ensure that when organizations are inevitably breached, they can detect and respond quickly to limit damage.
While external threats should be and are still a high concern, some people may fear insider threats more because of the pervasive access they have as well as the fact that some IT professionals do not consider them. I think professionals realize that external attackers remain a threat, but it is a good sign that they are also considering insider threats as part of a holistic look at their threat models. Recent news such as the insider-enabled Tesla ransomware attempt shows us that insider threats should be taken seriously. Organizations should consider how their insider threat and external threat components work together. In some organizations, insider threat teams may focus more on misuse of company assets, but they should ideally be incorporated into the overall cybersecurity strategy and operations of an organization. Security leaders should consider evaluating how their insider and external threat teams cooperate and share information. On a more specific level, practicing the principle of least privilege can go a long way toward limiting the impact of an insider threat.
Katie Nickels, Director of Threat Intelligence, Red Canary
The reason for constant defender negativity lies in the maxim that every blue teamer is aware of: we have to be right every time while the attackers only need to be right once. Breaches happen and defensive work is by its very nature a largely reactive job. That cynicism is what happens after years of responding to something as unavoidable as gravity.
Defenders worry most about insider threats because so many companies build this hard outer layer then have complete trust for employees inside. They have access to all of the data, networks, and information that attackers want to get a hold of and so continue to be a target. As we’ve seen with the recent foiled Tesla ransomware attempt, threat actors are now bribing with upwards of a million dollars to sway an employee. That’s a hard threat to combat as you can do everything in your power to defend your network, but it just takes one employee to circumvent all of those defenses. Even with a zero trust model insider threats remain the most dangerous ones for security teams.
Chad Anderson, Research Engineer, DomainTools