Despite increased budgets, better awareness and improved board buy-in, data breaches are not only becoming more common, but also more explosive. Kacy Zurkus asks why

Those who have been working in information security over the past decade or more have witnessed the evolution of the industry with the creation of positions such as the CSO and CISO to help strengthen enterprise defenses. While much has changed within organizations over the past several years, hackers and the vulnerabilities they are exploiting remain largely the same. Although larger enterprises may have increased information security budgets and introduced better security awareness training, that’s not universal, which is problematic in today’s interconnected world. Some of the classic problems of passwords and failures to segment networks continue to create risks for companies that have not advanced their overall security posture. For the most part, the vulnerabilities that have been used in many high-profile attacks are ones that have existed for a long time. They’ve been patched and sometimes even patched again. Unfortunately, many organizations are not updating their software or operating systems, which is one reason why breaches are getting worse despite increased awareness of cyber-threats.

To Patch or Not to Patch

“A large number of vulnerabilities are because of bad patching practices,” says Erika Powell-Burson, CISO, Bentley University. “It takes very little effort to exploit a vulnerability that hasn’t been patched, and it shouldn’t take a lot of effort for companies to patch their systems.” Some organizations aren’t patching despite the understanding that patching helps to mitigate risks, largely because they are still running legacy systems upon which they are very dependent. Moving to next generation technologies takes time, and organizations have to weigh up the risk and reward. “In some cases, it isn’t possible to move from legacy systems, and those systems are no longer supported by the vendors. Plugins may not be compatible, which often means they can’t bring systems up to speed without replacing them,” Powell-Burson adds. For those organizations that have upgraded, though, there remains the issue of constantly defending against the attackers. It’s what Jamil Farshchi, CISO at Equifax, calls the ‘problem of one’. “Attackers only need to be right once, whereas organizations defending against them need to be right 100% of the time. As businesses grow, they inevitably introduce new technologies, larger attack surfaces and a greater number of digital assets – all of which present a number of new, enticing vulnerabilities for attackers to try to exploit,” Farshchi says. Given that today’s adversaries can access data or other assets with relative ease, monetizing sensitive data has become its own business. Malicious actors are typically well-funded and have myriad motivations which all translates to not only ample reason, but also resources and incentive, to try to break-in.

"There’s a balance to strike there that leans more towards resiliency than towards prevention and detection"

Where Are the Funds Going?

While organizations may be spending more on their security budgets, the last couple of years have seen the threat landscape evolve in ways that companies weren’t prepared to defend against, such as with the advent of ransomware and cryptomining. “A lot of CISOs, rightly so, concentrate on protection,” explains Bill Brown, CISO, Houghton Mifflin. “There’s a balance to strike there that leans more towards resiliency than towards prevention and detection.” Criminals are not only stealing corporate assets but they’ve also leveraged the theft of machine time to mine cryptocurrency. “There has been a lot of nuisance attacks and password spraying where criminals might not be targeting an organization, but they find a soft underbelly and see where they can turn a profit. Still, the largest factor is that the landscape that needs to be protected is getting exponentially wider,” Brown adds. One side effect of digitization is that the perimeter is disappearing, creating more risk through third and fourth parties. According to a survey from CrowdStrike, 66% of global organizations have experienced a software supply chain attack. “Everybody is moving to the cloud, so they might not know their third party and downline vendors, which is why they need a vendor risk management program,” argues Powell-Burson. “Cloud may be – or in some cases is – safer, but just like anything, they need to check and assess what data is moving through. They have to do their due diligence by doing a risk assessment.” Often risk can be both industry- and company-specific, which can make it difficult for organizations to understand their own risk if they aren’t doing a risk assessment. “Healthcare is a huge target;” something Powell-Burson learnt in her previous experience as the first CSO in a department of one at a hospital. “They are non-profit, and while some are bigger than others, many of their budgets are constrained.” Outside of the financial sector – where enterprises are shoring up their security with layered defenses in place – other sectors don’t have a security methodology; whether it’s securing the application lifecycle or policies from prevention to response.

Advent of the Automated Adversary

In the same way that defenders are relying on automation to expedite tasks, cyber-criminals are using automation to attack faster. “They can put on the same malicious offenses with great speed and depth. While AI is not a fully accessible tool for cyber-criminals just yet, its weaponization is quickly growing more widespread. These threats can multiply the variations of the attack, vector or payload and increase the volume of the attacks,” according to Security Intelligence. The ability to use technology to increase the scale and scope of their attacks gives cyber-criminals an advantage, particularly over companies that have not yet invested in automated tools. Even in these large scale attacks, the methods are – in the most part – nothing new. The technology only allows attackers to increase in scale. As the attacks are fundamentally the same, Farshchi says: “Focus on the fundamentals and put operational rigor around people and processes rather than investing in the latest and greatest shiny new technology – things like asset management, patch management, network segmentation.” Doing the fundamentals will stop the vast majority of attacks. It’s also important to keep in mind that despite the fact that many organizations have implemented these security tactics, there are still companies – some of which could be in an organization’s downline – that have not taken these basic steps to prevent attacks. “Attackers almost never need to do anything sophisticated or high-tech to breach a system. They look for the weakest link and try to exploit it,” Farshchi points out.

"Companies need to be aware that breaches will continue to occur because we are adding more devices to our networks"