This post is part of our ongoing conversations with industry experts about the ever-present problem of data breaches. These breaches usually trace back to the security teams, but everyone, even the average user, is considered a stakeholder in cybersecurity.
IBM recently found, in its 2021 Data Breach Report, that the average total cost of a data breach increased by the most significant margin seen in seven years. According to their research, data breach costs increased from $3.86 million in 2020 to $4.24 million in 2021.
As discussed in last week’s post, smishing, ransomware, and malware are all major culprits in seeding data breaches, along with human error and hardware issues.
This week, SmarterMSP caught up with Jerry Vergeront, JD, CISSP, CISA, Director, Cybersecurity and Risk at Seattle University. We asked some questions about what MSPs, CISOs, security teams, and others can do to mitigate the risk of data breaches. What we found out is the more things change, the more they stay the same, in many ways.
Individual data loss vs. a mass data breach
“I believe that cyberattacks will continue to be the most common types of a data breach for quite a while,” Vergeront explains.
But he points out that when one looks at data breaches, there is a benefit to differentiating between individual data loss (individual data breaches) or mass data breaches.
“Smishing and phone fraud are the primary reasons for individual breaches,” says Vergeront. “However, when it comes to mass data breaches, cyberattacks from both criminal and state-sponsored groups will continue to rise,” Vergeront says, adding that the proliferation of malicious teams dedicated to finding the next zero-day vulnerability is increasing every month.
MSPs need to guard against both types of threats, as an individual company CEO’s data breach could cascade into something as costly as a mass data breach.
Hackers rely on proven methods instead of new tactics
The question remains, though, will hackers find new ways to breach networks or rely on the same old bag of tricks? Since the bag of tricks is working just fine, Vergeront expects to see more of the same.
“I don’t think that we will see many new tactics. Instead, there will be an increase in proven methods for criminal and state-sponsored cyber-activities,” Vergeront contends, advising that we can expect to see more groups bypassing MFA, not through SIM-cloning, but social engineering.
“A criminal can sit in front of an MFA prompt, call the target, and simply ask that they verify the user’s identity by providing their MFA pin over the phone,” Vergeront explains, adding that some people will fall for it, enough to make it a worthwhile, low-cost endeavor for the hacker.
“Simplifying things further, a malicious user can invoke the MFA call and hope that the user accepts the login from their smartphone,” Vergeront adds.
Again, it only takes one or two successful attempts to make this method worthwhile for the hacker.
The old ways are sometimes the best ways
Vergeront also tells SmarterMSP that security in-depth needs to be prioritized in combatting data breaches. “Yes, this is an old concept,” he points out. “But, in a world where administration simplicity and single-vendor solutions are the norm, security in-depth can get lost.” For this reason, he says he is a big fan of cloud infrastructure.
“Most customers usually move systems, as-is, to the cloud,” Vergeront explains. “Not many new security concepts are put in place. However, because the new environment is sitting in a much different architecture than in the data center, a malicious user then has to get through both the cloud provider’s security as well as the customer’s security models.”
Responsibilities for both security teams and users
As such, with human error being at the forefront of so many breaches, what are some ways MSP and other security stakeholders can head them off?
Instilling security-minded best practices into everybody’s day-to-day tasks, from logins to data entry to physical protection, is a great place to start, recommends Vergeront.
“This goes beyond simply holding developers accountable for cybersecurity,” Vergeront contends, adding that if done correctly, it can lessen the need for a large security team responsible for everybody’s actions, and allows for experts in other business and IT areas to provide better security practices and solutions for their teams.
Security teams must set and enforce the standards for users
In closing, he notes, “I’m not saying cybersecurity teams should abdicate responsibility, but merely augment how security is considered and adopted. Cybersecurity teams must be better at making security easier for the average user. Finally, we need to ensure that cybersecurity best practices are included as a responsibility of each person in an organization and become part of performance appraisal.”
“All this will allow the cybersecurity team to set standards and concentrate on consulting with teams regarding new or increased threats and vulnerabilities, all while giving the security team more time to conduct security monitoring and incident response,” Vergeront concludes.
Photo: Rawpixel.com / Shutterstock
Thank you, Kevin and Jerry!