Top three mistakes that lead to data breaches

Lessons from past breaches

Top reasons for data breaches

Data breaches and the number of records exposed has steadily increased over the last six years. In the United States, the number of data breaches has doubled and the number of records exposed has more than tripled.

What’s leading to these breaches? According to Verizon’s 2019 Data Breach Investigations report, the top causes of breaches were:

  • Web applications
  • Stolen Credentials
  • Backdoor attacks (Command and Control malware)

Verizon noted a key element in these attacks is email. In fact, 94 percent of the time, malware was delivered by phishing emails. And 60 percent of the time, the web application compromised was the front-end to a cloud-based email server.

Given that these methods were a factor in a majority of data breaches, what’s making companies vulnerable? Here are three common mistakes that open the door to attack.

Mistake #1: Failing to keep up with security updates and patches

You may not be on top of security updates and patches. But cyber criminals are definitely on top of what needs patching. Word spreads quickly in hacker networks about vulnerabilities. And they are poised to take advantage of them.

So it’s somewhat mind-boggling that so many companies fail to keep their software and systems up to date. Staying on top of your security updates is a simple step that every company should take.

Mistake #2: Failing to address phishing

Phishing attacks and more sophisticated spear phishing remain a mainstay of cyber crime. Why? Because employees and users still regularly fall victim to these types of attacks. In 2018, 32 percent of breaches involved phishing. Phishing opens the door to your data. Employees click a link and accidentally install malware (or backdoor programs) or provide usernames and passwords (stolen credentials) that can then be used to infiltrate the organization.

Admittedly, it’s hard to stop employees from making these mistakes. You can reduce the likelihood by educating and training them. That includes annual, required training on how to recognize illegitimate emails, implementing a system for reporting them, and regularly sending phishing emails to employees to test and remind them about the problem.

Mistake #3: Failing to solve the password problem

That fact is, 81 percent of hacking-related breaches involved stolen or weak passwords. Poor passwords are one issue. Another is the fact that over 70 percent of employees reuse passwords, making a credential stuffing attack more likely to be successful.

If you aren’t addressing the password problem, you’re making yourself a target for cyber criminals.

The password problem

In keeping with a Zero Trust mentality, you need to assume that credentials have been compromised and use a never trust, always verify approach even inside the firewall. Address mistake #3 by solving the password problem.

Two steps companies are taking: reducing passwords through Single Sign-On (SSO) so users can log in once to the corporate portal (or their desktop) and then have access to all their cloud and on-prem apps without having to log in again. And adding Multi-Factor Authentication (MFA), to require that users enter additional information when logging in, beyond their username and password.

Passwordless authentication: Moving beyond passwords

While SSO and MFA help with the password problem, security experts agree that the real solution is to eliminate passwords. They recommend replacing traditional passwords with one-time passwords, biometrics, and trusted certificates. That’s why companies are adopting protocols like OAuth and OpenIDConnect that enable passwordless authentication.

The newest authentication systems use User and Entity Behavior Analytics (UEBA) to build profiles of users and their behavior, then compare the user’s login attempts with that profile to create a risk score for each login. Anomalies, like logging in from a new location or on a new device, flag the login attempt as higher risk.

These cutting-edge systems adapt the authentication experience based on the risk level. A low-risk login might not require any additional information from the user A higher risk login might require the user to answer a security question. A very high risk login might require a one-time password sent via push notification plus the user’s biometrics.

Hackers will continue to attack. Companies will have to avoid the three mistakes above in order to keep their organizations safe. Ultimately, they’ll need to move beyond passwords, eliminating that weak link, and use AI authentication tools to provide secure access in a smart, frictionless way.

About OneLogin
OneLogin’s Identity and Access Management solution secures access through Vigilance AI, SmartFactor Authentication, and Contextual Login Flows. These tools work together to provide end users with fast, easy authentication while providing IT with the security and visibility needed to protect corporate users and data.

Powered by artificial intelligence and machine learning, Vigilance AI ingests and analyzes large volumes of data and leverages User and Entity Behavior Analytics (UEBA) to build a profile of typical user behavior. It identifies and communicates anomalies in real-time for advanced threat defense.

SmartFactor Authentication delivers a context-aware authentication methodology based on AI/ML insights into user behavior. It determines the optimal authentication process for a given login attempt, based on the Vigilance AI risk score

Contextual Login Flows are auto-configured authentication flows determined by the risk analysis. The authentication process adapts and changes to require the appropriate authentication factors and order, using MFA, certificates, and biometric factors.

Equifax breach: In 2017, a failure to patch a known bug, two-months old, felled Equifax. This despite the fact that the software vulnerability was discovered before the breach. From mid-May to July unauthorized data was accessed at Equifax with names, social security numbers, birth dates, addresses, and even driver’s license numbers stolen, affecting more than 146 million people.
Anthem breach: Healthcare company Anthem suffered a breach in 2015 as a result of a phishing attack. Five employees opened an attachment in an email that downloaded a key logger program on their machines, capturing their usernames and passwords. Criminals used that information to hack over 80 million medical records.