Last week, IBM and The Ponemon Institute released their annual Cost of a Data Breach Report. For the past 15 years, the report has highlighted recurring and emerging factors that contribute to the cost of data data breaches, as well as the root causes of those breaches. One of the key findings in this year’s report is the fact that human factored cyber attacks not only make up a large percentage of the all malicious attacks, but also are incredibly costly to businesses that suffered breaches. This only confirms the importance of cyber awareness training for employees to limit the risk of a human factored attack.
There are many different causes of a data breach, some of which are merely accidental. However, according to this year’s report, malicious attacks now make up 52% of all breaches. This didn’t used to be the case. In fact, malicious attacks have seen a 24% growth rate in just six years. Malicious attacks are also the most expensive, costing businesses an average of $4.27 million. That’s nearly $1 million more than all other causes of a breach.
Given the frequency and cost of malicious attacks, it’s important to look closer at the different threats that account for the rise in malicious attacks — and the data is surprising. While expected threats such as system vulnerabilities and malicious insiders are certainly present, human factored cyber attacks take up a large chunk of all malicious attacks. Threats ranging from phishing attacks, to business email compromise, to social engineering and cloud misconfigurations are all rooted in human rather than technical vulnerability, and account for 41% of all malicious attacks leading to data breaches. Indeed this report correlates with what was presented in the Verizion 2020 Data Breach Investigations Report.
Human factored cyber attacks aren’t something you can protect yourself against strictly through technically safeguards. Instead protecting against these vulnerability requires working with employees, establish proper quality control protocols, ensuring your have the right expertise on your team and using cyber awareness training to help build safer online habits.
As a Fortune 100 CISO once told me, “at the end of the day, every cyber incident starts with someone making a decision.”
This month Blackbaud, a cloud computing provider primarily serving nonprofits and educational institutions, announced that the company suffered a ransomware attack back in May. The company’s response, however, has raised more than a few eyebrows from security experts, and left hundreds of nonprofits scrambling to figure out if they’ve been affected. The Blackbaud breach is just the latest reminder that third party data processors can be a liability to your business.
According to Blackbaud’s statement about the breach, the company quickly discovered the attack and was able to remove the attackers from their systems — but not before the hackers stole a copy of a data set. Blackbaud has not specified the exact nature of that data, but claims it does not include sensitive information such as credit card information, bank account information, or social security numbers. On source told the BBC, however, that the stolen data involves donor information from hundreds of nonprofits and institutions and includes details such as names, addresses, ages, and estimated wealth. Now, organizations that are customers of Blackbaud are scrambling to see if their donors’ information was included in the breach and, if so, must release data breach disclosures of their own.
The most egregious part of the Blackbaud breach, however, was the company’s response. When they discovered their data had been stolen, they agreed to pay a ransom to have the attackers delete that data. Subsequently, Blackbaud assured their customers that there is no reason to believe the stolen data “was or will be misused; or will be disseminated or otherwise made available publicly.” However, cybersecurity experts have been quick to point out that this is a dangerous assumption to make.
Firstly, they got ransom’d but sounds like the actor also had a copy of the data. They paid the ransom and somehow believe that the (criminal) actor kindly removed their copy of the @blackbaud data: https://t.co/VrR5my2S8U
Despite Blackbaud’s insistence that the data has been deleted by the hackers, the company has not stated why they are confident in that assumption, and no external investigation has been able to confirm it. As many have noted, Blackbaud’s response to the breach seems more an attempt to protect their brand’s reputation, rather than a transparent disclosure. There are also questions about the amount of time the company took to disclose the breach, and whether or not that violates GDPR requirements.
The fact that so many questions about the Blackblaud breach are still unanswered two weeks after it was announced has not been assuring to the nonprofits that use their services. Over 100 organizations have already notified their donor’s about the breach, and more will likely do so in the weeks ahead.
While this far from the only third-party provider to suffer a data breach, the attack on Blackbaud is a rather stark example of why businesses need to take the time to carefully evaluate third-party security practices, as well as insist on strong agreements that define accountability and responsibilities in the event of an incident. This is especially important for associations and non-profits because their very existence relies on the trust that their members or donors place in them. When that trust is violated, it takes a long time to repair.
On Wednesday, The New York Department of Financial Services (NYDFS) announced their first ever cybersecurity charges against title insurance company First American for a data breach that exposed hundreds of millions of records containing sensitive information over the course of nearly five years.
The First American data breach initially occurred in October 2014 after an error in an application update left 16 years worth of mortgage title insurance records available to anyone online without authentication. These documents included information such as social security numbers, tax records, bank statements, and drivers license images. The error went undetected until December 2018, when First American conducted a penetration test that discovered the venerability. According to the NYDFS, however, First American did not report the breach and left the documents exposed for another 6 months, until a cybersecurity journalist discovered and published about the breach.
Charges against First American for their role in the data breach is the first time the NYDFS is enforcing the department’s cybersecurity regulations established in 2017. The regulation requires financial organizations with a license to operate in New York to establish and follow a comprehensive cybersecurity policy, provide training for all employees, implement effective access controls, and conduct regular venerability tests in line with a cybersecurity risk assessment.
First American is facing 6 charges, including failing to follow their internal cybersecurity policy, misclassifying the exposed documents as “low” severity, as well as failing to investigate and report the breach in a timely manner.
While the fine for a violation of the regulation is only up to $1,000, the NYDFS considers each exposed document as a separate violation. So, with up to 885 million records potentially exposed, First American could be looking at millions of dollars in fines if the charges stick.
News of the charges should serve as a wake-up call to U.S. organizations unconcerned with cybersecurity regulations. While the U.S. does not have any federal regulations, and there are a number of state regulations that have gone into effect in the past 5 years. This is merely one of what is likely many companies that will face enforcement unless they take steps now to ensure compliance.
The 2013 Target breach served as a wake up call for many businesses about the importance of proper cybersecurity practices. Since then, organizations have devoted a lot of time and resources into putting security controls and trainings in the place to better protect their data. Yet, one piece that is often overlooked is vendor management. In fact, the Target breach occurred when the credentials of an HVAC vendor were stolen and used to gain access to Target’s network. Traditionally, vendor management involves creating a security agreement and routinely accessing vendors’ security practices, but doesn’t always include cyber awareness training. However, given that credentials are regularly stolen through social engineering tactics, organizations need to start focusing on training their critical vendors to be more cyber aware.
With the effort often involved in implementing training programs for employees, it may seem daunting to also train vendors. However, since vendors usually have limited access and have very specific roles, vendor cyber awareness programs should be customized to the role they play within your organization. While you should ensure that the Vendor does have a comprehensive awareness program for all employees, you should consider adding your own training to those individuals who are touching your account — including their accounts payable or receivable units — and tailor the training to the specific risks they present.
Take the Target breach as an example. Hackers gained access to the Target network through credentials to a vendor portal. In order to help prevent the breach, Target could have taken the following steps: first, require strong authentication, including multi-factor authentication, to access the Target system; second, receive verification that the vendor has a training program in place for all employees; third, identify the individuals within the vendor’s organization that need to access it’s system; finally, provide those individuals adequate, role-based training on topics like password strength, business email compromise, and phishing.
The importance of ensuring your vendors are cyber aware cannot be overstated, and should even be a requirement before entering into any agreement. While this training doesn’t need to be as extensive as it is for your employees, it should be focused on the individuals with access, and the role those individuals play within your organizations. Anything less than that could leave you vulnerable to unauthorized access.
Over the past few years, ransomware has become a more and more common form of cyber attack. In part, this is because hackers have started to sell pre-made packages that anyone can buy on the dark web and run without a lot of technical know-how. While this form of ransomware allows malicious code to spread automatically, it’s not always the most sophisticated form of attack. This may be why human-operated ransomware has become more popular over the past few months. Unlike pre-coded ransomware that blindly crawls through infected networks, human-operated ransomware attacks tend to play more of the long game. Once attackers gain access to a victim’s system, they take their time to gather as much intel as possible about their target, often waiting months before launching their attack. This helps them gain access to other areas within the network and ultimately make it extremely difficult for the victim to put a stop to the attack once it starts.
The key to combatting these more sophisticated attacks, then, is to stop them from accessing your systems in the first place. Often, ransomware attacks gain access by taking the path of least resistance, such as unpatched applications. This has been an especially big problem for the healthcare industry recently. As hospitals continue to be overwhelmed by COVID-19, they have not had the time and resources to safeguard security systems and update applications quickly.
For example, recently human-operated ransomware attackers are using out of date virtual private networks (VPNs) to gain access. In fact, Microsoft identified “several dozens of hospitals” that were vulnerable to attack because of outdated VPN applications. To help combat this issue, Microsoft has developed a new alert system to notify hospitals that have unpatched applications and other vulnerabilities.
With ransomware attackers playing the long game, it’s vitally important to ensure your systems and applications are patched and that you fix any known vulnerabilities. In addition, any potential compromise to your system, however small, should be investigated and dealt with as soon as possible. Otherwise, hackers can spend months moving throughout your networks undetected and make it near impossible to remove once they launch their attack.
Cybersecurity tools are important for lowering the risk of a data breach. However, if those tools are put in place without considering business outcomes, it can harm organizational goals and even, in some cases, cost lives. In the healthcare industry, for example, steps taken to recover from a data breach can lead to a drop in the quality of care. However, no matter the industry, if cybersecurity tools and businesses goals are not aligned, there will almost always be negative consequences for that business.
A study published last year in the Health Services Research Journal found that after a hospital experienced a data breach there was, on average, an additional 36 deaths from heart attacks per 10,000 patients. One of the main factors that contributes to this is a delay in treatment because of new security policies following a breach. Common tools used after a breach include additional sign-in measures such as multi-factor authentication, or automatic logout after a period of inactivity. So if someone comes into a hospital with chest pain, for example, these extra security measures delay the ability for doctors and nurses to register the patient and access health records. This is especially important to consider now, given that hacks against the healthcare industry have risen since the COVID-19 pandemic began.
Of course, this isn’t to say that there shouldn’t be any additional security measures in place after a breach Instead, the point is that it is important to align cybersecurity processes with overall business goals — even when the stakes aren’t as high as saving a life. The key is to begin with your desired business outcomes and look at the cybersecurity risks that can negatively impact those goals. Then, only once you know your specific risks do you design or apply tools that limit those risks without negatively impacting the business. This requires strong governance and communication between IT and business leadership. Failure to focus on the interplay between cybersecurity and business goals both weakens the security posture and weakens business outcomes. And that’s not a prescription for a healthy strategy.