Better understanding the role of human error in data breaches
It seems that every day we are waking up to news about another data breach. This year alone brought major data breaches to organizations as disparate as Capital One, Quest Diagnostics, DoorDash, Fortnite and the City of Baltimore.
With National Cybersecurity Awareness Month in full swing, it’s a reminder that while we are all getting better at recognizing the risks of being connected, we still need to work on changing our behavior to mitigate those risks.
Some contend that no amount of behavioral change can outsmart the hackers, and perhaps there is a sliver of truth to that—after all, technology is constantly evolving, and so are hackers’ methods. But human error—or a lack of behavioral change in light of what we know about cyberattacks—is sometimes still a major cause of data breaches.
When you consider the Capital One breach, for example, it wasn’t a matter of bad actors outsmarting the system. The hack—which affected 100 million customers—was done by a former software engineer at a third-party provider, which the bank used for its cloud services. While the hacker did not have any inside access due to her former role, she allegedly exploited a vulnerability in the cloud service—one that had been known for some time.
A recent survey by Verizon found that 27 percent of company data breaches were a result of vulnerability exploitation, such as a broken patch on an operating system. The vast majority of these weaknesses are already known. In fact, Gartner reports that “99 percent of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident.”
Every network has vulnerabilities—sometimes many—and patching them all is a challenge and can take months or years to address. Good vulnerability management software can be instrumental in helping organizations tend to these problems, but IT professionals must also assess which vulnerabilities pose the biggest risk and which are less problematic and can afford a delay in fixing. While software can help, it is up to humans to weigh the risks and take appropriate action.
The breach at DoorDash illustrated yet again, a common problem that also affected Capital One and many other organizations: the risk of third-party service providers. The breach, which affected 4.9 million customers, was a result of an unnamed third party that, through its own vulnerability, enabled the hacker to gain access to its network and then move into DoorDash’s.
This breach and others like it highlight the importance of establishing a strong cybersecurity policy and thoroughly vetting third-party vendors to ensure that they have done their own due diligence with cybersecurity. Periodically monitoring any third-party service providers, understanding what data they are collecting and how it will be stored, is essential.
Most important, all businesses should follow the National Institute of Standards and Technology (NIST) cybersecurity framework, which urges businesses to:
- Identify and understand which business assets (“digital crown jewels”) bad actors want.
- Learn how to protect those assets.
- Detect when something has gone wrong.
- Respond quickly to minimize impact and implement an action plan.
- Learn what resources are needed to recover after a breach.
A data breach can wreak havoc on an organization, damaging it not just financially, but reputationally.
I am not arguing that there is always an easy fix for the kind of breaches suffered by both Capital One and DoorDash, but it is up to us to be vigilant. Cybersecurity isn’t just an issue affecting IT professionals—it’s one that affects the organization, its employees and its customers.