[BreachExchange] How Small Mistakes Lead to Major Data Breaches

Destry Winant destry at riskbasedsecurity.com
Wed Jul 17 08:39:08 EDT 2019


https://www.cpomagazine.com/cyber-security/how-small-mistakes-lead-to-major-data-breaches/

We keep seeing similar headlines over and over, “Expert Reveals Data
Breach Could Have Been Easily Prevented”. That is often the case. The
smallest mistakes can leave companies vulnerable to cyber attacks.

Four out of five of the top causes of data breachesare down to human
or process error. In other words, human mistakes that could’ve been
remedied with cybersecurity training or more careful consideration of
security practices.

So, what are the types of misdemeanors that lead to major data
breaches? And what can you do differently to reduce the risk of it
happening to you?

Failure to update software

Software may have technical vulnerabilities which hackers can use to
access your systems. When software creators locate these
vulnerabilities they release patches to fix them. These patches come
in the form of simple updates.

You have probably heard about the notorious Equifax breach, which
compromised millions of records. It was later revealed that hackers
broke in through a patchable vulnerability.

This should be a lesson. You must update all software and servers
regularly. As soon as hackers learn of a vulnerability they actually
seek out companies who may not have updated their software yet.

Weak or stolen passwords

You’d think that people would realize the importance of strong
passwords by now. But, surprisingly, weak or stolen passwords are
still a common cause of data breaches.

Network security company, WatchGuard attempted to crack over 355,000
government and military passwords as part of an investigation.
Astonishingly, they managed to crack 50% within just two days. Some of
the most common passwords they found were “123456” and “password”.

Hence, you and your colleagues need to create strong, unique passwords
for every one of your accounts. Passwords should never be written down
anywhere either. For an extra layer of protection, you may wish to use
a VPN to encrypt the data you send online.

Unattended and unsecured Devices

Companies use numerous devices which either store data or can be used
to access data. So, this includes items such as laptops and tablets,
as well as storage devices such as external hard drives and flash
drives. If a malicious individual steals or gets the chance to access
such an item, it could be dangerous.

To give you a real-world example, an employee of private medical
center, Cancer Care Group, made the mistake of leaving backup media
with his laptop in his car. When it was stolen, thousands of patients’
private information was compromised.

The moral of the story is … Don’t leave important devices lying
around. Also, ensure that all devices are secured with encryption.

Inadvertently sharing information

Criminals go to great lengths to trick people into thinking that they
are a legitimate member of a company or organization. They send
phishing emails claiming to be a colleague to encourage employees to
share private information, such as login credentials.

This type of attack hit 144 US universities last year. Cybercriminals
used a sophisticated phishing campaign targeted at professors which
made them think they had accidentally logged out of their university
accounts and must re-enter their details. This led to hackers stealing
over 31 terabytes of information.

The above example proves the need for all employees to be vigilant and
to check the credentials of anybody who tries to contact them through
email or otherwise. We must also continue to educate ourselves on new
threats as they arise.

Malicious downloads

There are several types of malware that can infect computers, and
hackers are coming up with new forms every day. There are also many
ways it can be planted, through a software vulnerability or if an
employee clicks a malicious link, for example.

One serious data breach involved hackers sending a phishing email to
four employees of RSA Security. It contained a malicious attachment
that once clicked infected systems with malware. This created a
backdoor to millions of employee records.

It’s pretty shocking that even a security firm can be breached in this
way. And it was all down to one little mistake. The solution for your
business is to create a cyberculture, in which everybody understands
cyber risks. Furthermore, install the appropriate antivirus software.


Everybody makes mistakes. If security firms and intelligent people
like professors can make small mistakes that lead to devastating data
breaches, then so can you. It’s your job to limit those mistakes by
implementing the right cybersecurity measures.


More information about the BreachExchange mailing list