Throughout the last decade, data breaches have exploded in numbers, regularity, and severity. Consumer concerns around safety have similarly reached new highs, as they continue to bear the brunt of leaky databases and illicit cybercriminals. The security fabric of organizations is being stretched thinner than ever, but a worrying report has found that a concerning number of US employees simply don’t care.
The Danger of Data Breaches
Data breaches are highly dangerous thanks to their free and indiscriminate sharing of deeply confidential data. Nowhere is this more self-evident than in the recent breach suffered by credit reporting firm Equifax. Toward the middle of 2017, Equifax fell foul of a leaky API that attackers used to scrape the personal financial data of 143 million US customers. A month after the initial report was made in 2018, they then added another 2.4 million to that list of potentially affected individuals.
Equifax is hardly the only financial institution suffering from the bite of data breaches: in 2019, Capital One bank finally acknowledged that hackers had access to the personal information of 100 million Americans and 6 million Canadians between 2005 and 2019. According to the bank, malicious actors obtained the information from swathes of credit card applications. This included full names, addresses, contact information, dates of birth, and income. Alongside the individual details of every victim, attackers also gleaned their credit scores, bank balances, payment history, alongside the social security numbers of 140,000 US citizens, and roughly 1 million Canadian Social Insurance numbers.
Unlike most malicious data breaches, the culprit behind the Credit One breach was caught and actually charged for her crimes. Paige Thompson, a former Amazon Web Services employee, posted to code compilation site GitHub about her methodology. She was charged shortly thereafter, pleading guilty to all crimes.
The financial and personally identifiable information that these data breaches let loose onto underground marketplaces can be used for a variety of criminal acts. Theft, for instance, can look like a drained bank account or a line of credit taken out under someone else’s nose. The financial allure of these data breaches go further than theft, though: two-thirds of financial service institutions have experienced attacks that target their market strategies in particular. This economic espionage allows attackers to conduct insider trading attacks, and front-run the market.
The Data Breach Epidemic
The cause of these data breaches is overwhelmingly human error. According to a 2022 report by Verizon, 82% of all data breaches are directly attributable to human elements. This includes incidents wherein employees directly expose information via misconfiguration, or by simply making a mistake that then allows illicit actors access to the organization’s systems.
To combat this threat, organizations need to understand how human error impacts their customers and appreciate the true severity of the risk. The same report establishes how businesses need to care: human-related attacks such as phishing and business email compromise scams cost roughly $5.01 per individual record stolen. The scale of many mature organizations - alongside the sheer wealth of data collected for each customer - has us facing a data breach epidemic that benefits profiteering cybercriminals above all else.
Employees Don't Care
Faced with the reality of ever-leakier databases, a recent survey of 1,500 U.S. employees sought to discover their own levels of concern over cyber risks. Over a third of those surveyed expressed little-to-no concern about data theft at work; a quarter of all employees believed they couldn’t be targeted by cybercriminals at all.
The alarmingly high numbers of employees who overlook the ever-present risk of data breaches is concrete proof that more training is required. There is clearly still confusion over who is responsible for protecting company data, too. Over 75% of the surveyed employees believe it's the IT department's responsibility to protect company data, wholly overlooking the key role that each individual plays in protecting the data they use for their daily roles.
The fact is that US companies are failing to highlight the importance of cybersecurity. Only 41% of surveyed employees work in a company where cyber security and threat awareness training is mandated. 43% claimed they hadn’t participated in any cyber security training, while 31% indicated that their company doesn't offer any security training at all. Bafflingly, these incredibly low rates aren’t thanks to a lack of interest. In fact, cybersecurity is wholly recognized as interesting, with 77% believing as much. 57% of respondents have even started or completed training when offered.
It’s easy to blame the endless data breaches on individual human mistakes. However, in order to survive the onslaught of illicit cybercriminals and ever-tightening regulations, it’s becoming increasingly clear that organizations need to wholly own up for their own data security.
How to Take the Human Error Out of Cybersecurity
The humans that make up organizational power are the first line of defense to any cyberattack. Being able to spot an attack is not a guarantee, but training and education are some of the most powerful forms of cybersecurity that can greatly accelerate an organization’s security stance.
However, employees can’t be the only line of defense. A hybrid approach allows for human identification and reporting, but also needs to fill the gaps for novel and unexpected attacks. Automated access controls represent the latest step in next-gen security; here, a third-party security solution places data at the forefront of organizational security. An automated solution discovers ungoverned data, before classifying it and assessing any potential access vulnerabilities.
From there, the solution continuously monitors who is accessing the sensitive data, and where that data is going. Once you’ve established a rough perimeter, it then becomes possible to detect anomalous behavior and flag up potential data exfiltration before the attacker has run away with that highly confidential data. Alongside continuous monitoring and false positive reduction, incident response time is drastically accelerated. By fostering employee interest in cyberattacks, and reinforcing the perimeter with next-generation security tools, you can protect both employees and customers from the data breach pandemic.
