Another year, another Verizon Data Breach Investigations Report (DBIR), another depressing look into the state of global cybersecurity preparedness.
And once again, the annual report acts as a necessary reminder that, despite an ever-increasing prioritization of cybersecurity programs, there’s still significant room for improvement.
The big takeaway from this year's report is this: Out of the nearly 2,000 breaches analyzed in Verizon’s report, 88 percent were undertaken using a familiar list of nine attack vectors. Eighty-one percent of hacking-related breaches leveraged stolen or weak passwords (more on that later).
In the face of numbers like that, securing your organization may seem impossible. Hackers are using the same techniques, year after year, and yet, many still can’t stop them. But the truth is that the hackers aren’t winning because organizations can’t keep up; they’re winning because most organizations have yet to master the security basics necessary to keep their networks and data secure. In fact, as Bryan Sartin, executive director of Verizon’s Global Security Services says, “There is no such thing as an impenetrable system, but doing the basics well makes a real difference.”
“Often, even a basic defense will deter cybercriminals, who will move on to an easier target,” Sartin explains.
Security Basics: Locking Doors and Windows
Think of your network like a house and your sensitive data like valuables. To protect your home and your belongings, you lock your doors and windows, and you might keep valuables in a lockbox or a safe. Some people go the extra step and install cameras and an alarm system to keep intruders out, but for most, the basics are enough to deter would-be thieves.
Taking basic security measures is like locking your front door and your windows—it won’t stop a determined thief, but it’s enough to ward off most.
That means using two- or multi-factor authentication, keeping software patched and up to date, encrypting sensitive data, automating user lifecycle management, securing privileged accounts, and having a plan of action to follow if you are targeted.
Despite what movies tell us, cybercrime is rarely a targeted, thought-out process. Just like real-world criminals, most hackers are financially motivated (73 percent, according to Verizon) and are looking for the easiest way to make a quick buck.
But while doing the basics will thwart the majority of attacks and lower your risk level, your security journey shouldn’t stop there. First focus on where you are likeliest to be attacked and then build from there.
The Human Element
One of the key takeaways from Verizon’s report is that most attacks are easily preventable, and most of them come down to simple human error. For example, 66 percent of malware used in attacks was installed via email attachments downloaded when users fell for phishing schemes.
Hackers take a spray-and-pray approach to finding soft targets, spamming thousands of fake messages to targets, looking for the one employee who will click on a malicious link—and one in 14 does, according to the Verizon report.
However, fighting these kinds of simple tricks isn’t hard: It all comes down to organizational preparedness.
Teach your users how to identify suspicious emails and links. Organizing training sessions for identifying and avoiding fraudulent emails isn’t hard, and it can make a huge difference to organizational security.
You can even go the extra mile and test your users’ security know-how by spamming them with fake phishing emails, which will both increase awareness and identify your users who are most at risk.
How Modern IAM Simplifies Security Basics
Basic best practices and organizational readiness can go a long way, but it’s also important to recognize the role that modern identity and access management (IAM) tools play in minimizing your attack surface and preventing access to critical systems.
One of the easiest ways for hackers to gain access to your systems is by hijacking static passwords, which can easily be cracked or obtained by simple social engineering. As noted above, 81 percent of hacking-related breaches reported in the DBIR utilized stolen or cracked passwords—a shocking percentage, were it not such a familiar story.
This is an issue with a relatively inexpensive and simple fix: Implement multi-factor authentication (MFA) across your privileged users, business-critical network systems, applications, virtual private networks, and servers.
If it seems like too much to implement MFA across all of your users, start with your privileged users, who are involved in 14 percent of breaches, according to the DBIR.
Strong privileged access management capabilities, such as time- and location-based access controls, can also help minimize your ransomware attack surface.
These tools and others—such as single sign-on, self-service password resets, and lifecycle management—can go a long way toward securing your organization from threats and have become increasingly affordable and easy to implement.
But many organizations of all sizes continue to use old, outdated IAM tools, keeping the same defenses from year to year. These legacy systems may meet the needs of compliance and simple password policies, but business needs and the threat landscape have changed, and that change must be addressed.
A modern IAM system can make basic security easy and will give you a platform to grow, evolve, and mature your identity security practices. And it’s easier than you think to implement a full IAM platform. Modern tools such as the RapidIdentity platform were designed from the ground up to deploy quickly—in weeks, not months or years.
But if you aren't ready, you don't have to invest in a full solution. Simply following the best practices outlined above and deploying some crucial IAM systems can put you in the right direction and get you running faster than your competition.