Top security challenges and how to overcome them: Unanticipated business risks

Welcome to this blog series which highlights the top security challenges organizations are facing and discusses how to overcome them. In this series of five articles, each will target a specific challenge while providing guidance on how to find the method(s) that work for you while meeting your organization’s unique needs to rise above each of the challenges.

Given each organization’s differing needs, requirements, budgetary constraints and regional location, consider the guidance provided here to be less prescriptive (i.e., you need to do this), instead, look at it as listing out the potential options available – alongside their respective strengths and weaknesses – allowing organizations and the administrative teams that support them to develop the security strategy that works best for them while still addressing the threats, attacks and concerns of the modern threat landscape that most impact their business operations, processes, users and of course, data.

In the previous blog, we discussed the challenges facing employee awareness training programs. In this third entry, we pivot over to unanticipated business risks, or those unforeseen vectors that can impact the security posture of an organization. We’ll also be changing the format slightly to incorporate additional risk factors pertaining to this topic, such as:

• Sensitive data for sale
• Hacking groups, like organized crime and nation-states
• Executive and other high-profile targets
• Attacks against third parties in the pipeline
• The role of insider threats

First, however, we turn our attention to the timeline of a breach.

Timeline of a data breach

In and of itself, the timeline or stages of a data breach are vectors that could potentially introduce unanticipated risks in addition to the cyber incident occurring itself. Depending on several factors at each stage, affected organizations and their responses (or lack thereof) could effectively minimize the fallout from attacks – or exacerbate the consequences.

The stages are as follows:

Alerting

The inception of the attack(s) against your organization and its infrastructure. Depending on the threats employed, any number of issues may alert administrators to the attacks, including but not limited to: performance degradation, loss or denial of service(s), missing, altered or corrupted data, unauthorized and unusual login activity and/or notifications from any number of endpoint and security controls in use as part of a defense-in-depth strategy.

During this phase, administrators are trying to ascertain the extent of what is happening and what is being affected. Failure to identify or act on threats in a timely manner could lead to compromising more of the network, endpoints and data as time passes without a response from IT and Security teams. The sooner an issue is detected, the sooner it should be acted upon and (hopefully) this limits the amount of data and systems that are impacted by the next stage in the timeline.

Data leaks

The following stage involves the actual attacks being performed against your organization, whereby threat actors reveal their true intention. Was it to exfiltrate sensitive data? Are they targeting mission-critical services to disrupt business operations? Or, is this an attack sponsored by a nation-state with a political or espionage agenda? The attacks and their targets will provide the answers to these and other questions. Consider the type of vulnerability that led to the attack being possible. Administrators will certainly be asking how to best mitigate this issue, though that will occur in the next stage;it’s always important to be aware of this as soon as possible given that “on average, companies take about 197 days to identify and 69 days to contain a breach”, according to the Cost of a data breach 2022 report by IBM.

During this phase, determining what systems, data and stakeholders are affected as soon as possible is table stakes to minimizing the potential fallout and timely mitigation of breach vectors and impacted resources. In IBM’s report above, the global average total cost of a data breach is $4.35 million. In the US, that amount more than doubles to $9.44 million. And certain industries get hit harder than others, with healthcare leading the pack to the tune of $10.10 million in the average total cost of a breach.

“Days saved are dollars saved when it comes to a data breach.” – IBM

Remediation

The third stage works in conjunction with the prior stage. Here, remediation is the name of the game and having the answers to the questions asked during the data leakage stage will serve impacted organizations well as they start to piece together not just what happened, but align it with what was affected, marrying that with how it was compromised to determine what needs to be done in order to remediate the incident(s), working through them in order of criticality to restore services, data and users back to normal operating baselines.

During this phase, again working with the telemetry data gleaned during phase two, organizations will know what led to the data breach, as well as how to fix it. It is imperative to understand that all organizations will have differing needs and resources available to them to remediate data breaches, so there is no “one size fits all” solution here, just guidelines that may help to cut down on the time, effort and financial resources necessary – including third-party assistance – to resolve issues in as quick a manner as possible. Failure to do so will only serve to extend this phase of the timeline, further incurring greater expense while leaving affected systems vulnerable.

Fallout

It’s important to note that this stage occurs after the technical events of the data breach have been resolved. Think of this stage as being a “post-data breach” event in that, your security posture may have been restored by this time, as well as any affected systems, data and user issues mitigated. Your organization may even be back up and running one hundred percent – except this stage refers to the indirect impact of a data breach on your company. More importantly, it refers to the reputation, public perception, potential compliance and regulatory violations, and legal expenses stemming from the attack by partners, suppliers, and yes, even customers whose PII/PHI may have been exposed/compromised during the breach.

During this phase, there could be a handful of issues that the organization will need to address – all stemming from the data breach. Understanding the various concerns of multiple groups and addressing them in a timely, effective manner will likely make all the difference between reestablishing your customer's trust (and that of your partners, as well) in your business or spending hours of time and unknown sums of money on legal costs, loss of revenue or perhaps even a halt to business operations.

Lessons learned

The final stage in the timeline. This refers to the time after the proverbial dust has settled, the security issues have been resolved and the business is operating normally once again. But alas, there is still much to be done for IT and Security teams and the organization’s processes and workflows. The lessons learned come in the form of not just documenting what occurred and why, but also serving as a watershed moment where management and IT/Security revisit the processes and workflows that make up its security plan to iteratively inform what changes can and should be made to:

• further enhance the security and device posture
• implement corrections to minimize incident response times
• add new controls to protect against novel threats
• streamline and extend protections across the infrastructure

Sensitive data for sale

It’s a sad fact, an untold percentage of the data targeted by threat actors ends up for sale on the dark web to countless anonymous entities for everything from identity theft to committing crimes, like fraud, to blackmailing campaigns requesting money in exchange for not releasing user’s private data to the public, potentially impacting their personal and professional lives.

These and countless other offenses commonly occur not just to personal users but to businesses as well. Well-publicized data breaches that occurred in the past have cost organizations money – a lot of it – as they’ve been threatened by attackers with the release of sensitive and confidential, even mission-critical data tied directly to the company’s revenue stream if they don’t pay. Other times, the data is released without a blackmail threat, and while the release doesn’t impact the company financially upfront it does impact them in different ways later on. One such way is by undermining its product(s) or making critical business data available for its competitors to view, thereby eroding any potential edge the affected business may have had in its market.

Hacking groups, like organized crime and nation-states

While computer security may have developed from a penchant for users looking to better understand hardware and software while letting their curiosity roam free in finding anomalies that could bend devices to do their bidding, it has developed into a very profitable industry in its own right – replete with both white and black hats at either end of the spectrum.

The latter has the advantage of only needing to be right once while the former has to get it right every single time or else face the music in the form of a data breach. That said, a significant cross-section of the “antagonists” of our story is made up of hacking groups. Within these groups are organized crime, nation-states and hacktivists among others. Depending on the group’s agenda, their specialties and the jobs they’ve been hired to perform, this could result in a variety of actions occurring when attacks are performed against organizations.

For example, a nation-state could launch an attack against another country or region in order to weaken its defenses as part of a larger-scale act of war. Another example involves the continued growth of targeting mobile devices; attacks on mobile platforms serve as both a means of targeting a large swath of the global population while also furthering what can be accomplished in the mobile space.

Executive and other high-profile targets

Phishing and all its variations of attack types exist to separate users from their credentials, sensitive data or other crucial information that could be leveraged against the organization, users themselves or sold outright. These attacks continue due to their effectiveness and high rate of success. After all, if a user is just going to give away the information a threat actor is targeting, why spend weeks or months of planning and performing reconnaissance to carve out the right attacks when a hastily crafted email, SMS or social media message scoped to a high-level target will only take a few seconds.

As trends continue to show phishing at the top of the threat list, threat actors continue to refine their campaigns, weaving in other services to finely tune their attacks for maximum success.

Attacks against third parties in the pipeline

Hovering among the top 10 security predictions of 2023, attacks against the supply chain continue to make headlines. Not just for their devastating payloads to the main target, but for the aftermath left in its wake as customers and businesses relying on those services to operate are indirectly placed in the line of fire as well.

A recent Gartner report on assessed that “44% of organizations will substantially increase year-over-year spend” to effectively mitigate risk stemming from supply chain cybersecurity threats.

And regardless of an organization’s size, all have been shown to be affected to some degree or another by these types of attacks historically, though the larger the company the greater the risk attribution will likely be.

The role of insider threats

While the argument can be made that all threats are “hidden”, insider threats lean into this aspect in order to maintain the appearance that all is as it should be…until it’s too late. By insider threats of course we refer to entities that are known to the organization and usually have some form of rights, privileges and permissions to use endpoints, access data and perform other functions related to their job role.

The threat factor comes in the form of a user – knowing or unknowingly – performing action(s) that usually cause the leakage or exfiltration of company data in an unauthorized manner. But beyond that, these actions – malicious or not in their intention – either directly or indirectly, introduce risk that could trigger a data breach. Depending on the reasons behind the insider threat, it is even possible that a threat actor is posing as an employee to introduce the risk needed for a hacking group or other source to perform the data breach.

Key takeaways:

• Frequently revisit and revise security controls, processes and workflows for maximum protection against current and novel threats
• Integrate security solutions to converge endpoint protection, cloud-based identities and device management to form the crux of your security plan
• Leverage in-network and on-device solutions, like Zero Trust Network Access (ZTNA) and encryption to protect data at rest and in motion
• Implement comprehensive, policy-based management to restrict unauthorized data access and exfiltration
• Keep informed as to the latest cybersecurity threats impacting businesses and your industry to best protect against issues specific to your organization
• Align organizational and security policies to configure protections against phishing threats, including security controls that mitigate zero-day phishing attacks and block malicious URLs
• Provide comprehensive, regular employee awareness training to empower stakeholders in identifying and reporting threats properly
• Thoroughly vet partners in your supply chain to identify any security concerns, such as certifications that are not up-to-date and audit their standards and processes
• Perform thorough vetting of prospective employees and stakeholders while incorporating controls based on the principle of least privilege to limit resource access to only what’s needed by employees to perform their role
• Establish an Acceptable User Policy (AUP) that is aligned with company policy to inform stakeholders of the expected behaviors and enforce violations