To be clear, data theft is not as simple as using copyrighted images available on the internet for a blog or other publications. It involves steps not many ordinary internet users are familiar with. However, from a persistent cyber criminal’s standpoint, it does not require a lot of effort to steal data from organizations, businesses, and individuals.
There have been many instances of security breaches that resulted in the exposure of private data. In 2013, Adobe reported that data of over 150 million users were compromised, forcing the company to pay $1.1 million in legal fees and an undisclosed amount of settlements with users, because the company failed to comply with the Customer Records Act.
Adobe is an established tech business with an international reach, so the expectation is that it would be, at minimum, compliant with customer data protection laws. The reality, though, is that there are far too many inadequacies, omissions, negligence, and other issues that make it easy for cyber attackers to steal data.
Addressing the failure to test security defenses
Putting up a cybersecurity system is a given for organizations. However, it is just a part of what is needed to ensure dependable cyber protection. Most of the organizations that become victims of data theft do not have regular security testing practices.
A survey conducted by Decision Analyst found that nearly half of companies only aim for regulatory compliance and do not necessarily verify the effectiveness of their security controls. This does not bode well for enterprise security. Meeting security compliance is a good start in establishing cyber defenses, but organizations cannot afford to stop with becoming merely compliant.
To make sure that security controls work as they are intended, it is also important to undertake security testing. This is done by conducting white hat attacks, red teaming, blue teaming, purple teaming, attack simulations, and other methods to check if an organization’s cyber defenses successfully detect attacks and prevent penetration.
Security testing can be done manually by running codes on a target system or network to examine how the security controls respond. However, it is also possible and arguably more efficient to use a continuous security validation platform. AI, automation, and other advanced technologies converge in modern security solutions to make the process of testing security controls easier, faster, and more thorough.
Being able to meet industry standards does not always guarantee that a security system will work when an actual attack takes place. Software updates, changes in configurations, and other modifications in devices or systems can throw off the effectiveness of security controls. Compliance audits are only periodic; attacks are continuous and unending. It is only logical to adopt a continuous security testing system.
Strengthening the human component of security
The proposition that humans are the weakest link in cybersecurity bears credence. The mistakes, negligence, omissions, dillydallying, and other harmful traits and actions of people contribute to the vulnerabilities an organization has to contend with. Accenture’s ninth annual Cost of Cybercrime Study affirms this reality as it suggests the prioritization of addressing people-based attacks.
The people working in an organization serve as the biggest vulnerability for cybercriminals to expose. No matter how good a security system is, if people are deceived into unwittingly disabling controls from the inside or creating vulnerabilities, it will be easy for attackers to succeed with their pernicious and criminal plans.
Moreover, there’s the problem of social engineering, which is one of the most dreaded cyber attacks at present because of its effectiveness. It can defeat security controls by taking advantage of human ignorance, carelessness, curiosity, tendency to cut corners, and propensity for committing mistakes. Simple things like using weak passwords, ditching multi-factor authentication, and the deferment of software updates, among others, help cybercriminals in stealing data and doing other cyber attacks.
A report from the Identity Theft Resource Center reveals an alarming finding. It says that up to 83 percent of the surveyed respondents use the same password for two or more accounts. This is a major security issue that worsens the vulnerability posed by the use of weak passwords. If attackers can easily crack passwords, they would not need to resort to baiting, pretexting, scareware, phishing, and spear phishing.
Two complementary solutions are recommended to address the cybersecurity weakness attributed to people. One is to provide thorough education or orientation to people about the attacks that target them. The other is to undertake a human vulnerability assessment.
Organizations that use computers and the internet need adequate cybersecurity training to make sure that employees or even officials in the management themselves do not become unwitting tools in the degradation or collapse of their cybersecurity system. It is important for everyone to identify how a phishing scheme looks like, what the indications of malware are, which actions create opportunities for cybercriminals to successfully land an attack.
In the words of Accenture Managing Director Rober Kress, organizations can create ”security-first people” by providing them the right training or education. There are tools that can automatically detect security vulnerabilities associated with people. These tools can be one of the features of security validation platforms.
Preventing spyware, ransomware, and other malware
Malicious software or malware are becoming more sophisticated and difficult to detect and eliminate. Likewise, the schemes to spread malware are getting more complex and evasive. Even with the advancement of antivirus and anti-malware solutions, keyloggers, spyware, ransomware, and other bad software still constitute a significant part of the cases of data theft at present.
Humans are incapable of determining malware by doing a manual scan. Software tools have to be involved in the process. Most malware protection software at present do well in detecting and blocking harmful software and files when they are regularly updated. As such, it is a must to always update operating systems, firmware, and the specific applications installed in a computer. Applications that are not being regularly updated by their vendors in relation to emerging attacks should be removed.
Not all attacks can be identified and stopped even with the most updated security controls, though. There are zero-day exploits that manage to take advantage of vulnerabilities before they are known to security experts. To address zero-day attacks, security firms incorporate next-generation antivirus (NGAV) tech, AI-powered threat simulation and detection, and other cybersecurity technologies in their software.
Other emerging frameworks in security include MITRE ATT&CK™, in which MITRE represents a US government-funded organization spun out of the Massachusetts Institute of Technology, and the ATT&CK stands “Adversarial Tactics, Techniques, and Common Knowledge.” This framework takes advantage of a common taxonomy of attacker behavior to model potential attacks. It essentially involves knowing the TTPs–tactics, techniques, and procedures–that attackers undertake, which comprise the patterns of activities or methods associated with a specific threat actor or group of threat actors.
To significantly reduce the possibility of falling prey to zero-day attacks, it is recommended to choose security solutions that include NGAV, user behavior analytics, advanced endpoint detection and response, network traffic analysis, and other related features. These technologies make it possible to detect anomalous patterns in file handling and software operations that can indicate the possibility of an ongoing cyber attack.
It is incumbent upon organizations and individuals who want to protect their data to make it difficult for cybercriminals to steal data. Relying on standard solutions or simply satisfying security compliance requirements are not enough. Aside from installing reliable security controls, security validation or testing also needs to be undertaken. Additionally, it is vital to educate everyone in an organization about cyber threats and the right practices to prevent attacks from succeeding.