Cracking the Code on Data Breach Investigations
There is no shortage of threats for today’s risk mitigation professionals to monitor, but arguably the most critical is a data breach. We all understand the cost of a data breach, whether it be reputational or financial ruin. In fact, in an actual data breach event, the best-case outcome is minimal damage because you cannot escape totally unscathed.
I recently read the Verizon 2021 Data Breach Investigations Report with great interest. The report is full of data and is based on a large enough sample size to ooze credibility. The data set included almost 80,000 potential breach incidents, close to 30,000 of which were verified as potential breaches. Around 5,500 were actual confirmed breaches. The data came from 88 countries and was broken down into industry sectors that made sense.
This dovetails into another area of interest that we’ll be discussing in upcoming blogs, and that’s the evolution of risk management in general. The industry is getting broader and our clients, along with many forward-thinking companies, want to consolidate and rank risks across a broad spectrum – from HR concerns like harassment and discrimination; to financial concerns like malfeasance and fraud; code of conduct issues like bribery; safety and security issues ranging from extreme weather phenomenon to civil unrest; and yes, IT issues like data breaches. The future paints a picture of seeing a consolidated view of all risks and evaluating the impact from remedy costs to reputational damage.
It's smart to think this way. Compartmentalizing risk into silos does not grant the business the full view necessary to prioritize response, and in many cases to invest in avoiding them all together.
What did the data breach investigations report reveal?
I can’t deal with all the incredibly valuable data and insights from the report, so for this week’s blog I will focus on data asset protection. According to the report, 61% of breaches involved some sort of credential theft to gain access, proving again the importance of responsible use and training for corporate systems and security protocols. We’ve all had that training so many times, yet almost two-thirds of breaches start with somebody clicking on a suspicious link in an email, entering credentials into a phishing scam, and other human fails. Interestingly, only 3% of those cases involved some sort of vulnerability exploitation. So 20x more breaches occur because of human error in exposing access credentials by not following best practice security compared to systems being hacked.
Criminals and bad actors will always take the path of least resistance. This finding screams that most companies have done a good job with IT architecture, firewalls, and other system level security measures because that’s not where they go for access. The infamous bank robber Willie Sutton, when asked why he robs banks, famously said, “because that’s where the keep the money.” The keys to your prized corporate information are no different – those are the keys to the data. The conclusion is that as good as automated and system defenses have become, human error is easily exploited.
Shifting focus
Companies have spent millions on protection techniques, and it’s time to move some of that focus now to where the information used for breaches, denials of service, and even ransomware attacks is vulnerable – your PEOPLE!
The proper techniques can be broken down into a few topics: policies, training and observation. Let’s start with policies, and maybe more importantly policy enforcement. The right policies must be in place to inform your employees on their responsibilities regarding protection of access to systems. It’s not done with a policy nobody reads, is tested on, or trained on. It includes observational reporting when a policy violation is observed.
At ETHIX360, we work with our clients every day to perform policy audits to make sure they are well organized, easily accessible by employees, and clear in setting employee responsibilities and expectations. Once the right policies are in place, we work with our clients on the best and most inclusive ways to distribute them, ensure they are read and understood, and most importantly followed.
Relying on automated and technology solutions to protect your company is important, but no different than locking the front door and leaving the back door wide open. Knowing that human error invites the bulk of breaches says it’s time to check all the doors.
The ETHIX360 blog brings you weekly updates on all things human resources and compliance.
MEET THE AUTHOR
J Rollins is the co-founder and CEO of ETHIX360. J is a well known leader and innovator who has served on senior leadership teams ranging in responsibility from Chief Revenue Officer, Chief Marketing Officer, SVP of Product Strategy and Chief Operating Officer.
ABOUT ETHIX360
At ETHIX360, our goal is simple: to provide an affordable, flexible, and comprehensive answer to employee communication, policy management, corporate training and case management on issues related to corporate ethics, code of conduct, fraud, bribery, and workplace violence.
