Back to Blog
4 Reasons Why Data Breaches Keep Happening to Organizations
Why Data Breaches Keep Happening to Organizations and What Actions Companies Can Take to Stop It
Over the past decade, data breaches have become more frequent and more destructive, with the average cost of a data breach rising over 13% since 2020 according to IBM. Companies of all sizes and across all industries are struggling to protect their data, keep client and employee information private, and defend themselves from malicious cyberattacks.
Particularly over the last three years, as our reliance on digital technologies has grown, cybersecurity concerns have increased to a fever pitch. Many tools like IoT technologies and remote work options provide efficiency and business opportunities but introduce new cybersecurity risks. Additionally, as breaches continue to dominate headlines, this is a sign of a growing problem. With each additional release or sale of personal information including insurance information, personal data, credentials, social security numbers—the list goes on—it’s easier for threat actors to infiltrate accounts.
Why do data breaches keep happening?
The target for most cyber criminals is financial gain, but sometimes it’s sought indirectly. Bad actors will target a company with weak security so that they can steal personally identifiable information (PII) and other sensitive data, and then sell it to other cybercriminals. Even when money is the end goal, data itself is the hot commodity, meaning organizations of all kinds and sizes are being targeted.
But this isn’t breaking news to IT professionals. Within the cybersecurity world, the much more important question is, how are data breaches happening—and of course, how can we prevent them?
There are four main identifiable reasons that organizations are repeatedly falling victim to data breaches. These span everything from common user habits to stolen device use. Let’s dive in:
- Human Error
- According to Verizon’s 2022 Data Breaches Investigations Report, 82% of data breaches involved a human element. This includes all kinds of accidental moments, from sending a password to the wrong person over email, to clicking a malicious link thinking it’s safe.
- One incredibly common source of human error lies in the choices users make around their passwords. All too often, individuals settle on one or two passwords they perceive as strong because they satisfy character complexity requirements. Users will then use these same passwords across multiple accounts and devices—a habit known as password reuse. Sometimes users will make small changes to a single favored password, essentially choosing a ‘root’ password and riffing on it, again often to satisfy requirements.
- Unfortunately, password reuse makes it easy for cybercriminals to leverage information from previous breaches and access all of an individual’s account information. Hackers rely on the statistics of password reuse to engage in highly effective attack methods like credential stuffing.
- In the same vein, users are also chronically bad at coming up with unique passwords—understandably, due to the fact they don’t want to have to remember long complex strings of characters—so they settle instead on common words, like ‘password’ and ‘admin’. Cybercriminals also know about these habits and weaponize the knowledge by engaging in password-spraying attacks.
- Weak & Default Passwords
- What users consider weak passwords has changed over the years. In the past, having a combination of upper and lowercase letters, numbers, and special characters, was thought to lock an account down securely. However, users not only choose dictionary words, they often engage in the same password habits across the board: adding “2023”, their birth year, or “!” at the end of their favored word. Hackers know all these habits and exploit them.
- While password reuse is a major issue, default passwords and weak passwords are in some ways just as bad—and more insidious. IoT devices, routers, and all kinds of tech are sent out with default passwords, often simple combinations of characters like “123456”. And all too often, these passwords are never updated or reset by their owners. This makes it simple for hackers to access at-home devices, and then move laterally without being detected.
- Social Engineering
- While we would all like to think we’d spot a phishing scheme a mile away, hackers are becoming more and more convincing, and attacks are coming from all angles. Emails and texts are commonly used as points of communication, and hackers will fly under the radar by posing as trusted figures, like bosses or family members. Hackers will also use psychology to leverage attacks and pressure potential victims, by insisting that there is an urgent or personal problem. Whether a hacker is aiming to have a victim transfer money, purchase gift cards, or share their insurance or social security information, we’re all at risk.
- Cybercriminals will also pose as authority figures so that a victim is more likely to click a link in an email or text. These links are often the source of malware, which can spread rapidly and compromise a network immediately. Once malware is installed, hackers will look for credentials, sensitive data, and material they could use to leverage a ransom.
- Permissions and Privileges
- Privileged accounts are those with substantially more rights than ordinary users. They include accounts owned by employees and those used by third-party applications and services that interact with other parts of the network infrastructure. When cybercriminals obtain the credentials for a privileged account within the organization, they can easily make undetected lateral moves, harvesting data and installing malware—and it’s simple because the account they’re using already has all the freedom they need. For system administrators and security teams to effectively protect against attacks on privileged accounts, they need to be aware of the most common attack vectors so they can focus on the right areas.
When designing cybersecurity defenses for organizations, developers and security analysts need to consider each of these vulnerabilities. No one solution will magically defend company and user data overnight—especially as cybercriminals are looking to stay one step ahead.
Keeping the variety of behaviors and technological standards in mind means solutions must be presented as a whole. Ensuring that security is layered and holistic will allow cybersecurity to become an obvious choice for organizations, instead of a panicked afterthought.
Here are six areas you can address to improve your organizational security from the top down.
- Educate your employees
- Human error is the number one cause of data breaches. You need training that goes beyond instructions and rules—spend the time explaining ‘why’ to your employees. Cybersecurity is a collective concern and no one is immune to password mistakes and phishing schemes. But, individuals can make smarter choices and feel more invested in their security habits at work when they know why they’re being asked to change certain habits. Turn employees into assets instead of liabilities!
- Update your security procedures using NIST guidelines
- NIST standards are frequently-updated sets of guidelines for organizations. In the most recent publications, they recommend uprooting several widely-held beliefs about password policies:
- Getting rid of periodic password resets. Multiple studies that have shown requiring frequent password changes to be counterproductive to good password security.
- Ditch the arbitrary character complexity requirements. Like frequent password changes, it’s been shown repeatedly that these types of restrictions often result in worse passwords.
- Scan regularly for compromised credentials. One of the best ways to ratchet up the strength of your users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords.
- Use up-to-date security software
- Software updates exist for a reason, and often, it’s to keep users safe. Make it a regular and required task to stay up to date on patches in your environment, including those available for your OS and security software.
- Continuously Monitor
- Cybercriminals don’t work 9-5s. Your systems need to have strong security monitoring around the clock. Monitoring your network constantly will improve your security and allow you to detect threats early and immediately. An MDR service or security tools optimized for autonomous containment and response can help bridge the gap when your security team is offline.
- Require Multifactor Authentication (MFA)
- Companies must move past the feeling that MFA is a burden or causes too much user friction. While it is not a replacement for enforcing effective password policy, enabling MFA in addition to strengthening the password layer means that even if a compromised credential enters your network, there’s a safety net in place.
- Require Employees to use Password Managers
- Users choose weak passwords or reuse favorites, because they can’t, and don’t want to, remember tens of unique, complex passwords. Fortunately, this is quite avoidable with the use of a password manager, which will store your complex passwords for you. Studies have shown that the use of a password manager encourages users to choose stronger passwords for their accounts.
For more detailed information about each of these security techniques, visit the Enzoic Resource Hub and Blog.