Data breaches increased by 69 percent in 2021 compared to 2020, according to the Identity Theft Resource Center (ITRC) in its annual report on data breaches. According to the report, the most common causes of data breaches were phishing or smishing attacks, human error, or a physical attack such as a stolen flash drive.
SmarterMSP caught up with Craig Cocciola to talk about data breaches and how MSPs can prevent them. Cocciola is the Vice-President of Cyber Range Operations, has more than 30 years of experience in IT and cyber risk management, and educates and supports instituting a culture of cybersecurity.
We asked him to describe the root causes of data breaches.
“During the past 20 years, the vast majority of data breaches have been caused by human error, poor training, inadequate quality checks, laziness and disregard for, or lack of governance,” Cocciola explains. He adds the results of these behaviors have created conditions ripe for bad actors to use their weapon of choice, like ransomware or malware, to enable data theft and destruction.
Getting to the root cause of cybercrime
“It’s important to understand and address cybercrime from or near its root cause – the human factor. This is not as sexy as saying breaches stem from DDoS attacks or zero-day unknown malware and monitoring for IOCs (indicators of compromise). Still, we cannot address the actual threat if we keep ignoring that humans are the root cause of many of these attacks,” emphasizes Cocciola. He points out that focus needs to shift to people and their role in causing the vulnerabilities that lead to breaches.
“To remediate or mitigate breaches requires end-user awareness the role they play when encountering a phishing attack and how serious it can be to click on links or use weak passwords,” Cocciola says. He adds that it was a simple, successful phishing attack that resulted in last year’s spectacular Colonial Gasoline Pipeline shutdown.
Cocciola believes that breaches will subside when a “culture of cybersecurity” is adopted by all organizations, as well as city, state, and federal governments.
“Awareness must be supported from the top down,” Cocciola insists.
Such support should consist of funding continuous end-user awareness training for every member of the organization. “This includes every person who has access to the organization either on-site or remotely. And adequate cyber-staffed personnel,” says Cocciola.
AI expected to become an important part of a hacker’s arsenal
“You will see AI and ML doing the heavy lifting for bad actors which, in turn, enables them to produce more attacks in a few minutes than 1000 bad actors can in a few days,” Cocciola asserts.
The ITRC report revealed that a full quarter of the data breaches have unknown origins and Cocciola outlines some of the more common breach causes that comprise these breaches:
- Malware attacks on poorly coded applications and misconfigurations
- DDoS, or Distributed Denial of Service, attacks causing systems to become overloaded and vulnerable.
- MITM, or Man-in-the-Middle, attacks where users are not using encrypted connections to systems, Wi-Fi or the internet, allowing a middleman to capture their activities including passwords and usernames.
- Multiple types of phishing, vishing, social engineering, and use of malicious links where bad actors run a remote code execution and takes C2 (command and control) of a computer or system console. An example of this is a RAT, or remote access trojan.
Yet, all these weapons pale in comparison to the cheapest weapon hackers have at their disposal for data breaches: humans.
To err is human, but prevention is key to success
We asked Cocciola about some of the best ways to head off human-error breaches:
- An attitude and a company-wide culture of cybersecurity is everyone’s responsibility.
- Measure and reward improvements. Run phishing campaigns to measure user compliance with cybersecurity hygiene.
- Provide remedial awareness training for those continuing to display risky behaviors and dismiss those who refuse to improve. Set the standard of conduct the organization wants to be known for.
- Have solid governance in place with policies, procedures, baselines, and guidelines for cybersecurity hygiene.
- Utilize a formal risk management framework (RMF) such as NIST RMF 800-53 and 800-171. Conduct regular risk assessments, user risk-based controls and adjust as data and systems change protocols.
- Maintain configuration management to ensure passwords and systems are updated and meet industry best practices.
MSPs that already have their hands full with growing attack surfaces and short staffing can expect to see data breaches continue to be a challenge in 2022. But with proper training and ensuring everyone is security stakeholder, it’s possible to keep hackers at bay.
Photo: peterschreiber.media / Shutterstock