IT security experts are weighing re the new survey by HSB and Zogby this week, which finds that almost one third of US businesses have been breached in the last year.
Key findings: third-party vendors and contractors are the leading risk factor for data loss (47%), followed by employee negligence (21%), and lost or stolen mobile devices (20%).
Lisa Baergen, APR, MCC, Marketing Director at NuData Security Inc.:
“Fraudsters and organized criminal organizations are increasingly adept at leveraging a company’s valuable data for ransomware and other types of attacks. Moreover, stolen identity sets are usually sold to other cybercriminals and used for a myriad of criminal activities including account takeover (ATO).
“Protecting organizational data from breaches is becoming increasingly challenging – the report shows that 47% of breaches happened through a vendor or contractor working for a business and not through the business itself. To turn it around, companies need to work on implementing intelligent ways to authenticate their customers – despite all the authentication data out there for sale on the dark web. It is not enough to verify users by their personally identifiable information to access an online account, as this is so widely available – and for low cost. Companies need a security intelligence that can evaluate not just the data but also the user behavior through passive biometrics.
“With this additional layer, even if a login attempt is using the correct credentials, companies will know of any potential anomalies in a user’s behavior and add intelligent friction to those risk situations only. A multi-layered solution that also looks at the human behavior won’t avoid data breaches but will devalue stolen data and protect customers and businesses from breach damage.”
John Gunn, Chief Marketing Officer at VASCO Data Security:
“We suspect the real rate of data breaches is significantly higher than reported, simply because many companies lack the forensic capabilities to detect that they have been compromised and that data has been stolen. It underscores the urgent need for businesses to implement multifactor authentication and a risk-based approach to access management.”
Ray DeMeo, Chief Operating Officer at Virsec:
“Unfortunately, these numbers are not surprising and probably underestimate the scope of the problem. For every public example of a data breach there are likely numerous others that have not been discovered. Hacker now leverage extensive “dwell time” – after they have infiltrated a network, but before theft occurs – to survey targets, pivot across multiple servers, find valuable data assets, and plan their exit without leaving tracks left behind. Businesses need to shift their focus, from hoping they don’t get hacked, to assuming that hackers are already lurking in their networks. Pinpointing suspicious behavior and taking action before large scale damage occurs is more important than ever.”
Brad Keller, JD, CTPRP, Sr. Director 3rd Party Strategy at Prevalent, Inc.:
“These findings once again demonsrate that third-party risk is certainly one of the most important and perhaps the most frequently overlooked variable in managing organizational security risk exposure – and also, that effective data protection goes well beyond technical security controls. A vendor’s entire program for education, training, and operational issues related to protecting customer/client data is a critical component of their security – and yours – and must be assessed when evaluating your vendors. Assessing a vendor’s privacy practices as they relate to protecting your data is key to a comprehensive third party risk management program, and is all too often the missing piece of the organization’s cyber security defense-in-depth strategy.”