The number of data breaches has been increasing every year for over a decade. Each incident costs businesses time, money and resources to repair while inflicting often irreparable damage to their brand reputation and customer loyalty. This reality only became more apparent during the recent pandemic, as threat actors took advantage of the disruption and uncertainty of the moment to wreak havoc in our digital environments.
In 2021, the number of data breaches is already on the beat to achieve a new record. In some ways, the pervasive fear of failure can seem crippling or, even more unsettling, inevitable. Like a particularly exasperated big title recently asked, “Are we waiting for everyone to get hacked?” “
Fortunately, for businesses looking to defend their data, IT, and intellectual property, the risks aren’t so inevitable. Specifically, Verizon 2021 Data Breach Investigation Report found that 85% of data breaches involved a ‘human element’, giving organizations a clear direction for their cybersecurity initiatives in the second half of 2021 and beyond.
Here are three lessons business leaders can learn from this report and the next steps they can take to start responding to the human element of data privacy and cybersecurity.
2. Abuse of privileges and mismanagement of data are common and preventable
Privileged users have access to critical computer systems, network applications and corporate data. Their status makes it particularly difficult to detect privileged insiders before they cause disaster. Verizon estimates that over 30% of privilege abuses take months or even years to identify, leaving every organization vulnerable to an unhappy employee or accidental data exposure.
Of course, these risks are magnified by a growing body of compromised credentials that can give malicious actors direct access to sensitive information. Employee tracking software (Full disclosure: this is a service offered by my company) enables organizations to distinguish and track these users, from remote users and third-party vendors to architects and system administrators.
When combined with an untrustworthy data loss prevention strategy, every business can rely on employee monitoring to gain real-time visibility into privileged users, enabling them to take action against data misuse. accidental or malicious credentials before a data breach occurs.
2. Phishing scams cannot be ignored
Phishing scams, malicious social engineering messages, have increased dramatically during the pandemic. Verizon’s analysis found that phishing was present in 36% of data breaches, an 11% increase year-over-year. Additionally, business email compromise (BEC) was the second most prevalent form of social engineering, as misrepresentation was fifteen times more likely to occur than last year.
Above all, executives must remember that phishing attacks are not a monolith. A recent Microsoft Analysis identified several forms of phishing, including:
- bill phishing
- payment / delivery scams
- Tax Themed Phishing Scams
- downloads
- Phishing
- whaling
Collectively, there are over three billion phishing scams sent every day, it is therefore essential that business leaders equip their teams to identify and defend against these scams. Since teleworkers are more likely than their on-site counterparts to fall victim to phishing scams, education and training initiatives have particularly the urgency in today’s hybrid workforce.
In response, companies should train their employees on phishing scam awareness best practices, providing regular and ongoing instruction to mitigate the risk of a data breach or cybersecurity incident.
3. Accidents happen (but negligence is not an accident)
People are fallible, and their mistakes can compromise data integrity. We think that 90% of data breaches in the cloud can be traced to human error, while accidental sharing and exposure plagues businesses of all sizes in all industries.
However, don’t confuse negligence with accidents. Notably, most people do not regularly update their login credentialseven after a data breach, and many people haven’t enabled simple security features like multi-factor authentication.
That’s why companies need to preach good digital hygiene and hold people accountable for these standards. As the NYT report explains, digital hygiene is “the accumulation of investments and daily inconvenience by government, businesses and individuals that make it harder for hackers to do their jobs.” And some are very low-tech.
Closing encouragement
As business leaders make strategic decisions to effectively navigate the post-pandemic “new normalâ€, cybersecurity is increasingly on the minds. With the continued emergence of new threats, businesses can take meaningful steps to defend against the most likely threats. With the vast majority of data breaches involving a “human element,†businesses can begin to face this disproportionate risk today. Data breaches don’t have to be inevitable, but proper defense requires a response, and business leaders should start this process today.
This article originally appeared in Forbes and reprinted with permission.
