At the beginning of November, a number of news websites reported 10 million hotel-related guest files have been open to the whole internet since 2013. A total of 24GB of data which includes guest names, national ID information, credit card details, you name it. Yours and my data is probably included. This is just one of a string of similar breaches of personal data, all caused by a configuration error.
Those who work in the industry will know there is a huge market for vendors selling cyber security products and services to help organisations manage their security posture. For those who don’t work in cyber, the market in 2019 was worth around $125 billion.
Nowadays, each year there are several good, credible reports published on why and how organisations are breached. The Verizon Data Breach Investigations Report 2020, for example, states that almost 90% of all breaches in 2019 were the result of three general action categories:
- Hacking – 45% of breaches (the most common hacking action was reusing stolen passwords to log into an organisation’s systems).
- Social engineering – 22% of breaches included social engineering (e.g. phishing emails)
- Errors – 22% of breaches (e.g. misdelivering email, mail-shots or misconfiguring servers)
When you look deeper into the data, it becomes clear that human error is directly involved in almost all of the 90%. Although ‘hacking’ is performed by threat actors, the most common action from this category was simply logging into an organisation’s infrastructure. Yes, you read that right.
Organisations are using weak passwords, or passwords that have been reused and already discovered in previous breaches. Hackers find the password lists online, and try them on different websites and company infrastructure. A superb return on investment from an attacker perspective.
In the last decade, researchers have developed several ways to strengthen and maintain passwords, including password managers, cloud or keychain-type devices that are native to certain operating systems and can store, manage, and delete user passwords. These are significantly helpful at the enterprise level, where most data breaches occur as a result of human error.
Ultimately, an organisation can purchase all the solutions, but if they configure a database in the cloud and accidentally set it to public instead of private, or use weak passwords on infrastructure, those purchases will probably amount to nothing.
Organisations who are looking to improve their security posture should analyse the breach data in their sector, as well as their own risk-profile before going to vendors for solutions. A vendor solution isn’t often the best option, especially for small and medium sized organisations. Usually the best solutions are processes carried out by the people you already employ.
Sticking with the hotel example above, rather than looking for technology solutions from vendors, consider the following simple processes:
- Standard build templates – create a standard build template for commonly built systems such as cloud databases, which, for example, are set by default to private rather than public.
- Separation of duties / verification checks – don’t allow the people who build things to also deploy them. Or, create verification checks before go-live and before sending sensitive emails or marketing campaigns. This ensures a second person checks something before it is given the green light. For some organisations – more mature change management processes should be used.
Just by performing these two processes, you’ve drastically reduced the chances of errors – accountable for 22% of all breaches in 2019. Easy, huh? And not a penny spent on things.
A healthy cyber security posture needs a balance of people, process and technology. And, believe it or not, technology is very often the preferred approach for companies, whilst also being the least effective one.
"But we've always secured it this way" 
Leave a comment