The frequency and severity of data breaches are continuing to grow, with the cost of the average breach rising again in 2021 to over £3 million. The previous year, four in ten UK businesses and a quarter of charities reported having a security breach or attack, according to government figures.
In order to mitigate this risk, organisations have a variety of options available to them, including technologies such as Multi-Factor Authentication (MFA), Identity and Access Management (IAM) solutions, email filters, intrusion detection software, anti-malware software and cyber security training. Yet frequently, businesses continue to make mistakes which fail to adequately address the scale of the problem and leave themselves open to significant risks. Here are five common mistakes organisations make that can lead to data breaches.
Cyber security training is a common method used by organisations to address the risk of data breaches. Instead of investing in technologies such as Multi-Factor Authentication or Single Sign-On to protect against credential-based attacks, for example, some businesses rely solely on attempting to educate their workforce on security practices to mitigate the risk of a data breach.
Training alone, however, is insufficient to protect against the many cyber security risks inherent in modern hybrid cloud environments, especially the most common source of attacks - credentials. Data from a My1Login survey of over 2,000 office workers and business leaders showed that while 91% of office workers without training reuse passwords at work, for those who have received training, the figure still remains astonishingly high at 85%.
A major reason for the lack of impact of cyber security training is that it does not address the core problem – the passwords themselves. Trained employees may be aware that reusing passwords is insecure, but with the average enterprise using a total of 288 different cloud applications, memorising unique credentials for every app in use is impossible. Organisations that suffer from high staff turnover rates will also see even less cost-effectiveness in cyber security training.
When poor security practices persist in an organisation, malicious actors can more easily exploit credentials to cause a data breach. Brute force attacks can be deployed to take advantage of weak, easy-to-remember credentials. Where passwords are reused, credential-stuffing attacks mean that one account becoming compromised can result in a data breach in any other application which uses the same set of credentials. The use of passwords rather than token-based authentication or password vaulting and forwarding also exposes users to phishing attacks, which was the most common action in successful data breaches in 2021.
Passwords remain the leading cause of data breaches, with 61% of all successful cyberattacks involving the use of credentials. Relying on end users to create, manage and enter passwords as the primary method of authentication for accessing applications leaves the organisation exposed to the most prevalent forms of cyberattack.
If users employ weak passwords which are short and easy to remember, they can easily be exploited by a brute force attack. If passwords are reused, the risks of a data breach can increase significantly, as any set of credentials becoming compromised will lead to all apps which share the same credentials coming under threat.
Reused passwords are a particular problem, since 61% of office workers use personal passwords for business applications. This means that the initial compromising of credentials could also happen through personal accounts used away from the workplace, where users are more vulnerable.
Ultimately, while every employee in a business should be aware of cyber security risks, it should not be left to the individual end user to manage credentials. The sheer number of identities used by the average employee means that without a corporate-provided solution, they will most likely resort to weak practices and weak passwords, whether through incompetence, ignorance, or for convenience.
While organisations have several methods available to secure access to cloud applications, they frequently lack full visibility over the extent of cloud apps in use across their organisation. According to McAfee, the use of applications which are unknown and unsanctioned by IT departments is at least ten times larger than that of known cloud usage. Organisations can only deploy technologies and enforce security measures on applications they are aware of. With corporate data potentially stored outside of the security perimeter of the enterprise, there is a far greater risk of it being compromised.
Shadow IT causes further problems when employees use unsanctioned applications to process corporate data. Not only does this increase the likelihood of a data breach through potentially insecure applications, it also creates risk when the employee leaves the organisation and may retain access to corporate applications and data. The lack of access controls for Shadow IT applications and the corporate data residing within also exposes the organisation to compliance breaches.
Shadow IT also increases the risks of poor security practices which may already be in place. If passwords are reused, employees who find their credentials compromised on an insecure app could have the same credentials exploited to gain access to other applications. Even where the organisation has invested in technologies to mitigate the risks of data breaches, such as MFA, employees may choose to use alternative apps that are not protected by MFA, again increasing the risks of a breach.
Whichever solutions an organisation adopts to mitigate the risk of data breaches, it is imperative that these are fully compatible with the breadth of technologies in use across the organisation. Most organisations operate a hybrid model involving the use of both cloud and on-premise applications, and any new solution, such as Single Sign-On or MFA, must be fully compatible with all of these apps in order to ensure all resources on the network are protected.
However, while a solution may be compatible with all applications at the time of its implementation, this may not be the case in the future. As the business grows, the solution will be required to scale with it, and must also be compatible with any new applications or technologies which are adopted in order to ensure the full network can remain protected by the solution. Ultimately, a lack of compatibility means a lack of protection, and the organisation may have the illusion of having mitigated the risk of data breaches while vulnerabilities remain.
Organisations which rely on the manual deprovisioning of users for third-party applications when users leave the business or change roles introduce additional cyber security risks from human error. Admin functions can often fail to manually deprovision employees when they change roles or leave, or be unaware that users were only granted temporary access. Employees can also fail to accurately disclose all of the applications they were using to process corporate data.
If users are not deprovisioned automatically from all applications, they can retain access to corporate data after leaving the organisation. This can be a significant risk for data breaches, especially when employees leave to join competitors. In a Ponemon Institute study, 40% of employees admitted to taking information from a former employer to use in their next job.
When passwords are reused, the existence of user accounts which have not been deprovisioned also creates a significant long-tail risk for the business, as the data could be subject to a credential-stuffing attack if the employee’s username and passwords become compromised, even if this occurs many years after they have left the organisation.
By deploying an Identity and Access Management solution, organisations can remain in full control of access to applications, ensuring that only the right users have access to the right resources, when they need them. By taking the responsibility of managing credentials away from end users and giving the organisation complete control and visibility, the risks of data breaches can be significantly mitigated.
Read more on how Identity & Access Management helps mitigate the risk of data breaches.