Did you know that most cybersecurity attacks don’t occur randomly? According to Thomas Johnson, chief information security officer (CISO) at ServerCentral Turing Group (a cloud consultancy), they’re coordinated with important business events, including major product or service updates, periods of restructuring, acquisitions, and new product releases.

“And when companies discover the root causes of the attack, they often find their systems have been infiltrated for months, as hackers waited for the right time to strike,” Johnson says.

Prevalence of security breaches and hacks

According to RiskBased Security’s Q3 2019 Data Breach QuickView Report, there were 5,183 breaches that exposed 7.9 billion records in the first three quarters of 2019. “The majority of security issues arose from one of four sources: unpatched security vulnerabilities, lack of regular updates to critical systems, human error and malware/ransomware,” Johnson says.

Security breach vs. hack

The terms “breaches” and “hacks” are typically used interchangeably, but Johnson says there are differences between the two. “Hacks are intentional attacks carried out by a malicious actor to access a protected system.”

On the other hand, he defines a data breach as inadvertently leaving sensitive data in an unsecured environment. “Then, someone has access to data they shouldn’t be able to see.”

Inside jobs

The Verizon 2019 Data Breach Investigations Report reveals that although the majority (69%) of attacks were perpetrated by outsiders, 34% involved internal actors. “While there are certainly examples of employees abusing their authorized access to use sensitive data for malicious purposes, the most aggressive security risk is carried out by insiders who mean no harm,” the report says.

Johnson says it’s usually a result of well-meaning or uninformed employees making human errors. For example, they may click on a link that appears to be from a manager. “However, it is actually from a hacker — “phishing” — or they download the wrong file that then infiltrates the company’s IT infrastructure as malware, or worse — ransomware.”

Social engineering manipulates and takes advantage of unsuspecting employees — and other people — so they will reveal confidential information. “Phishing is just one form of social engineering,” Johnson says. “Other examples of social engineering include presenting oneself as someone else to obtain information (‘pretexting’) or injecting malicious code into a public website (‘watering hole attack’).”

In fact, Johnson says that all incoming and outgoing communications pose serious threat risks. He points to a survey by Kaspersky Lab, which found that 90% of data breaches are caused by human error.

“Often, these kinds of data breaches start out as relatively inconspicuous and aren’t recognized right away, for example, a broken URL, a link to a form that doesn’t work properly, etc.” While companies may view them as minor inconveniences, Johnson says they’re anything but minor. “They’re signs external parties have access to critical information within secure enterprise IT systems,” he explains. Even an email sent to employees asking them to update or verify their identity for a vendor could be a trap. “Falling victim to the trap can damage a company’s reputation and wreak havoc on the entire organization.”

How companies can protect themselves

The best way to protect your company from internal and external threats is by regularly implementing security patches and critical system updates. “Every year, there are hundreds of thousands of security vulnerabilities identified worldwide, and in most instances, software and hardware developers issue timely updates to mitigate these issues,” Johnson says.

The problem is that the updates aren’t implemented on a regular basis. “It is not uncommon to evaluate an enterprise IT environment and find that between 35 and 50% of the systems do not have all available security patches deployed.”

He explains that critical system updates are usually among the mundane updates requests that most people see every day. “However, it’s not uncommon for 60% of desktops to be behind on these updates — a common example of this is the Microsoft AutoUpdate warning that’s presented to — and ignored by — users on a regular basis.”

Admittedly, these updates can appear to be ill-timed when you’re in a hurry to finish a project.

“But the risk of having a business document — standard documents, spreadsheets and presentations are all at risk — serve as an entry point for a virus, malware or ransomware attack is significantly greater than the reward of finishing a project two to three minutes faster by ignoring the system update.”

It may seem like a never-ending stream of system updates and security patches. However, Johnson says these steps are crucial if you want to protect enterprise IT environments, processes, and data.

He also includes several practical steps to help organizations secure their data:

  • Remind all employees to update their desktop systems at a predetermined time every week (for example, every Friday afternoon right after lunch). This helps make security a habit and ensures no system goes more than seven days without important updates.
  • Share examples of threat attacks from purported vendors or co-workers. These are easy to come by, since they’re probably landing in employees’ inboxes nearly every day.
  • Create a default escalation point (or process) for any questionable inquiries or assets. This way, every employee knows who to contact to ask if something may, in fact, be a threat.
  • Stay up to date with system life cycles. Roughly 37% of Microsoft Windows systems in operation today are running Windows 7. Microsoft eliminated support for this operating system early this year. This means there are no longer security updates for a significantly prevalent operating system.
  • Reward individuals for recognizing and identifying threats. Even a gift card from Dunkin’ Donuts or Starbucks reinforces awareness that threats are real and everywhere.
  • Keep Active Directory and other authentication databases up to date. Instead of leaving unattended accounts in the system, decommission them to eliminate their risk of being compromised. On average, when assessing a customer environment, it’s common to find 4 to 7% of total active accounts to be for employees who are no longer with the company.

Unfortunately, no company is immune to data breaches. “However, it will be significantly better off if a culture of cybersecurity is prioritized and embraced, and that all starts with communication.”