The number of data breaches has increased every year for more than a decade. Each incident costs companies time, money and resources to repair while inflicting often-irreparable damage to their brand reputation and customer loyalty. This reality only became more apparent during the recent pandemic as threat actors capitalized on the moment’s disruption and uncertainty to wreak havoc on our digital environments.
In 2021, the number of data breaches is already on pace to reach a new record high. In some ways, the omnipresent fear of failure can feel paralyzing or, even more troubling, inevitable. As one particularly exasperated headline recently asked, “Are we waiting for everyone to get hacked?”
Fortunately, for businesses looking to defend their data, IT and intellectual property, the risks are not quite so inevitable. Specifically, Verizon’s 2021 Data Breach Investigations Report found that 85% of data breaches involve a “human element,” giving organizations a clear direction for their cybersecurity initiatives in the second half of 2021 and beyond.
Here are three lessons that business leaders can take from this report and the next steps they can take to begin responding to the human element of data privacy and cybersecurity.
2. Privilege Abuse And Data Mishandling Are Common And Preventable
Privileged users have access to critical IT systems, network applications and company data. Their status makes it especially difficult to detect privileged insiders before they cause a disaster. Verizon estimates that more than 30% of privilege abuse takes months or even years to identify, leaving every organization vulnerable to a disgruntled employee or accidental data exposure.
Of course, these risks are amplified by a growing number of compromised credentials that can give threat actors front-door access to sensitive information. Employee monitoring software (Full disclosure: This is a service my company offers) allows companies to distinguish and track these users, from remote users and third-party vendors to system architects and administrators.
When coupled with a zero-trust, data-loss prevention strategy, every business can rely on employee monitoring to achieve real-time visibility into privileged users, allowing them to take action against accidental or malicious credential misuse before a data breach occurs.
2. Phishing Scams Can’t Be Ignored
Phishing scams, socially engineered malicious messages, increased significantly during the pandemic. Verizon’s analysis found that phishing was present in 36% of data breaches, an 11% year-over-year increase. In addition, business email compromises (BECs) were the second most prominent form of social engineering, as misrepresentation was fifteen times more likely to occur than last year.
Critically, leaders need to remember that phishing attacks are not a monolith. A recent Microsoft analysis identified several forms of phishing, including:
- invoice phishing
- payment/delivery scams
- tax-theme phishing scams
- spear phishing
Collectively, there are more than three billion phishing scams sent every day, making it critical that business leaders equip their teams to identify and defend against these scams. Since remote workers may be more likely than their on-site counterparts to fall for phishing scams, teaching and training initiatives have particular urgency in today’s hybrid workforce.
In response, businesses should train employees in phishing scam awareness best practices, providing regular and ongoing instruction to mitigate the risk of a data breach or cybersecurity incident.
3. Accidents Happen (But Carelessness Isn’t An Accident)
People are fallible, and their mistakes can compromise data integrity. It’s estimated that 90% of cloud data breaches can be attributed to human error, while accidental sharing and exposure plague companies of every size in every sector.
However, don’t conflate carelessness with accidents. Notably, most people don’t regularly update their login credentials, even after a data breach, and many people haven’t enabled simple security features like multi-factor authentication.
That’s why companies need to preach good digital hygiene and hold people accountable for those standards. As the NYT report explains, digital hygiene is “the accumulation of day in, day out investments and inconveniences by government, businesses and individuals that make hackers’ jobs harder. And some are very low-tech.”
A Closing Encouragement
As business leaders make strategic decisions to effectively navigate the post-pandemic “new normal,” cybersecurity is increasingly top of mind. With new threats continually emerging, companies can take meaningful steps to defend against the most likely threats. With the vast majority of data breaches including a “human element,” businesses can begin addressing this outsized risk today. Data breaches don’t have to be inevitable, but an adequate defense requires a response, and business leaders should begin that process today.
This article was originally published in Forbes and reprinted with permission.