Human Error Driving Data Breaches, Studies Find
April 11, 2018 Alex Woodie
Preventable errors – including clicking on malicious links sent as part of a phishing attack and misconfiguring servers and network devices – account for a large number of data breaches, according to a pair of studies released last week by IBM and Baker Hostetler.
In IBM‘s annual X-Force Threat Intelligence Index 2018, the company concluded that “inadvertent insiders” — or employees who unwittingly cause security incidents through negligent actions – accounted for two-thirds of all the records that were comprised in 2017. IBM says nearly 3 billion records were compromised last year, which is actually down from the 4 billion records breached in 2016.
Misconfigured cloud storage servers, databases, network, and backup gear accounted for 70 percent of all lost data, IBM says in its report. The number of records breached due to misconfigured cloud servers, in particular, shot up by 424 percent compared to the previous year, IBM concludes. There’s “a growing awareness among cybercriminals of the existence of misconfigured cloud servers,” IBM says.
Last fall’s disclosure of the massive Equifax data breach, which compromised the data of 143 million consumers, is a good example of this phenomenon in action. An unpatched Apache Struts server was fingered as the main culprit in that breach. The patch had been available for months, yet Equifax personnel apparently had failed to apply it in a timely manner.
IBM says the other one-third of breached data can be traced back to phishing attacks. In particular, IBM X-Force spotted a lot of activity coming from the Necurs botnet, which it says was used to distribute millions of spam messages during short periods of time.
Ransomware also reared its ugly little head in a big way. “Last year, there was a clear focus by criminals to lock or delete data, not just steal it, through ransomware attacks,” Wendi Whitmore, Global Lead, IBM X-Force Incident Response and Intelligence Services (IRIS). “These attacks are not quantified by records breached, but have proven to be just as, if not more, costly to organizations than a traditional data breach.”
This data jibes with another report issued recently. Baker Hostetler‘s 2018 Data Security Incident Response Report found that “phishing remained prevalent and successful, and employees and their vendors made common mistakes that placed sensitive information at risk.”
Phishing remained the number one cause of data breaches in 2017, accounting for 34 percent of data breaches, according to the New York law firm. The second most common cause of data breaches was network intrusion, accounting for 19 percent of incidents, followed by inadvertent disclosure (17 percent); stolen or lost devices or records (11 percent); and system misconfiguration (6 percent).
Baker Hostetler says phishing is a tool wielded by sophisticated and unsophisticated hackers alike. The hackers use phishing “to obtain direct network access, convince employees to wire money, enable remote access with compromised credentials, or deploy malware and ransomware,” the group says. “These incidents can be costly and difficult to investigate.”
What can organizations and users do about this? Baker Hostetler recommends a mix of techniques, including educating people about how to protect themselves from phishing attempts. But that’s not enough. “Because people are fallible, training is not enough and technological safety nets are needed,” the group says.
For incident prevention, a strong training and technology mix includes phishing training, educating employees to not use the same credentials for multiple sites or services; enabling multi-factor authentication (MFA) throughout the organization; the deployment of endpoint security agents and advanced email threat protection tools; and developing effective network segmentation.
It’s all about preparing your organization to be ready for a compromise, says Theodore J. Kobus III, leader of Baker Hostetler’s privacy and data protection practice. “The stakes are higher than ever, but some entities still are not executing on the basics,” Kobus says. “Many have made great strides in their cybersecurity planning, but as threats evolve and entities change, they must also keep their security protocols current. It takes an ‘all-in’ approach from boards to senior management to entry-level employees for best-in-class breach prevention and response planning.”
Kobus recommends that organizations should follow the principles of Compromise Response Intelligence, which includes: gaining executive support for security spending; educating key stakeholders; fine-tuning incident response plans; working more efficiently with forensic firms; assessing and reducing risk; building scenarios for tabletop exercises; and determining cyber liability insurance needs.
You can access Baker Hostelter’s report here.