Big Breaches

1. Prioritize, Invest, and Execute to Mitigate Breach Root Causes

By simply eliminating all unencrypted data, the overwhelming majority of the breaches due to physical loss and portable devices can be avoided.

Meta-level failures. Many breaches stem from a failure to prioritize, invest adequately in, and effectively execute cybersecurity initiatives. These meta-level failures create an environment where technical vulnerabilities can be easily exploited.

Six technical root causes. The majority of breaches can be attributed to six technical root causes: unencrypted data, phishing, malware, third-party compromise or abuse, software vulnerabilities, and inadvertent employee mistakes. Addressing these root causes directly is crucial for reducing breach risk.

Proactive mitigation. CISOs should focus on mitigating risks associated with these technical root causes, as this approach significantly reduces the likelihood of a breach. Compliance standards, while important, should be a secondary focus, achieved as a side effect of a robust security program.

2. Unencrypted Data Remains a Top Breach Culprit

As such, unencrypted data is, in fact, the most prevalent root cause of data breaches.

Encryption as a fundamental control. Unencrypted data is the most prevalent root cause of data breaches. When personally identifiable information (PII) is stolen but encrypted, it is rendered worthless to attackers, effectively preventing a breach.

Cleartext vulnerability. Sensitive data in "cleartext" or "plaintext" form is easily readable by attackers. Encryption mathematically encodes data, making it unreadable without the decryption key.

CISO's immediate goal. A CISO's initial priority should be to identify and encrypt all sensitive unencrypted data to reduce the risk of data breaches. This single action can prevent a significant number of potential incidents.

3. Phishing Attacks Persist, Demanding Robust Defenses

One of the reasons that phishing attacks are so easy to conduct is that the original Internet email protocol (i.e., Simple Mail Transfer Protocol, SMTP) did not contain any features to support authentication or security more generally.

Social engineering exploits. Phishing attacks trick users into revealing sensitive information, such as login credentials, by impersonating legitimate entities. These attacks exploit human psychology and trust.

Spear phishing sophistication. Targeted phishing attacks, known as spear phishing, are highly effective because they leverage detailed information about the target, making the emails appear more legitimate. These attacks often lead to initial compromise in larger breaches.

Countermeasures are essential. Deploying anti-phishing measures, such as two-factor authentication, password managers, and security keys, is crucial for preventing these attacks. These measures add layers of security that make it more difficult for attackers to succeed.

4. Malware Evolves, Requiring Adaptive Security Measures

Starting in 2013 with the mega-breach at Target, and from the many mega-breaches that followed, it became clear that malware, Internet worms, and software vulnerabilities were only a few of the problems that would need to be addressed.

Malicious software threats. Malware, including viruses, worms, rootkits, keyloggers, and ransomware, poses a significant threat to organizations. These programs can steal data, disrupt operations, and demand ransom payments.

Drive-by-downloads. Malware can infect machines simply by viewing a web page, without any user interaction. This propagation method makes it easy for attackers to spread malware widely.

Comprehensive defenses. Defending against malware requires a multi-layered approach, including anti-malware software, endpoint detection and response (EDR), network detection and response (NDR), and isolation technologies. These measures work together to prevent, detect, and contain malware infections.

5. Third-Party Risks Demand Vigilant Vetting and Monitoring

Often, an organization gets compromised not because the attackers target the organization directly, but rather because of one of the third parties with which the organization works, as occurred in the case of the SolarWinds hack discovered in December 2020.

Weakest link exploitation. Organizations are often compromised through their third-party suppliers, who may have weaker security measures. Attackers target these suppliers to gain access to the larger organization's network.

Diverse third-party risks. Third-party risks extend beyond suppliers to include partners, customers, and potential acquisitions. Each of these relationships can introduce vulnerabilities if not properly managed.

Due diligence is crucial. Thoroughly vetting third parties, including potential acquisitions, is essential for identifying and mitigating security risks. This includes assessing their security posture, implementing appropriate controls, and monitoring their activities.

6. Software Vulnerabilities Require Proactive Management

A single vulnerability can be used by attackers to breach an organization.

Software as a primary target. The modern world runs on software, making software vulnerabilities a prime target for attackers. A single vulnerability can be exploited to gain access to sensitive data or systems.

Patching is critical. Software vendors regularly release patches to fix known vulnerabilities. Applying these patches promptly is crucial for preventing attackers from exploiting these weaknesses.

Vulnerability management programs. Organizations need robust vulnerability management programs that include identifying, prioritizing, and remediating software vulnerabilities. This requires a combination of tools, processes, and skilled personnel.

7. Consumers Must Adopt Digital "Seatbelts"

Consumers and employees in organizations know that the Internet can be unsafe.

Internet dangers. Consumers are constantly under attack while using the Internet. They may not understand all the details, but they are aware of the risks.

Digital seatbelts. Consumers need to adopt "digital seatbelts" to protect themselves online. These include basic security measures that can significantly reduce their risk of becoming victims of cybercrime.

Proactive measures. By taking proactive steps to secure their digital lives, consumers can minimize their exposure to threats and protect their personal information. These measures are analogous to putting on a seatbelt before driving a car.

8. Identity Protection Services Offer a Safety Net

The stolen data could be used by a foreign nation-state but may never be posted to the dark web as dark websites are typically used by cybercriminals to buy and sell such data.

Beyond credit monitoring. Identity protection services go beyond credit monitoring by tracking a wide range of data sources for signs of identity theft. These services can detect fraudulent activity that credit monitoring alone would miss.

Dark web monitoring. Identity protection services often monitor the dark web for compromised personal information. This can provide early warning of potential identity theft.

Stolen funds reimbursement. Some identity protection services offer stolen funds reimbursement, providing financial protection in the event of identity theft. This is a valuable benefit that can help consumers recover from financial losses.

9. Secure Routers as the First Line of Defense

Your Internet router or gateway is the first line of defense inside your home, as it is the primary way that all of your home devices get connected to the outside world.

Gateway to the home network. The home Internet router is the primary entry point for all devices connecting to the Internet. Securing the router is essential for protecting the entire home network.

Default password vulnerability. Many routers come with default passwords that are easily guessed by attackers. Changing the default password is a crucial first step in securing the router.

Regular patching and firewall. Regularly patching the router's firmware and enabling the built-in firewall are also important for protecting against attacks. These measures help prevent unauthorized access to the home network.

10. Endpoint Protection is Essential for Consumer Security

One day it may be the case that the hardware and the software that we use to interact on the Internet will, hopefully, make it as easy as just putting our seatbelt on in order to safely use the Internet.

Endpoint devices as targets. Laptops, desktops, smartphones, and tablets are all potential targets for malware and other attacks. Protecting these devices is crucial for preventing data theft and other security incidents.

Anti-malware software. Installing and regularly updating anti-malware software on all endpoint devices is essential for detecting and removing malware. This software can help protect against a wide range of threats.

Encryption and backups. Enabling storage encryption on all devices and regularly backing up data are also important for protecting against data loss and theft. These measures ensure that data remains confidential and can be recovered in the event of a security incident.

Last updated: February 7, 2025