Data breaches are becoming more frequent and costly to organizations, and poor cybersecurity and unqualified professionals are often the culprits. So what can companies do to fix the problem?
It seems like every week there’s news of another data breach. Whether it’s a financial institution, government agency or an international corporation, data breaches are frequent and widespread. In 2016 alone, the average consolidated total cost of a data breach grew from $3.8 million to $4 million, according to the 2016 Ponemon Cost of Data Breach Study.
Troy Hunt is an expert on data breaches and security practices. He’s a Microsoft Regional Director, a Microsoft Most Valuable Professional (MVP) for Developer Security and an international speaker on web security. He also runs the site Have I been pwned?, a free service that aggregates data breaches and helps people find out if their account has been compromised in a breach.
Troy reveals his insights into the causes of data breaches and how companies can improve their cybersecurity.
What are the most common types of data breaches you see?
The most common attack is still a structured query language (SQL) injection. SQL injections feature really heavily in breaches of entire systems because when there is a SQL injection vulnerability, it provides the attack with access to the entire database.
What industries and businesses are most susceptible to data breaches?
All of them. People love to break it down by verticals, but the reality of it is that any asset that is online and public facing is at risk. As soon as you put anything new online, as soon as you set up a new website, as soon as you plug in a new externally facing webcam, it gets hammered by automated processes. In terms of susceptibility, if you’re online, you’re a target.
What are the best ways for businesses to prevent cyber attacks?
There are a number of different ways of looking at it. I think that the most fundamental thing that makes a big difference for security is the training of technology professionals.
If you’re a business and you’ve got people working for you who are building these systems, making sure they’re adequately trained and equipped is really important.
Data breaches are often related to the fact that people have made bad mistakes.
A perfect example is an Indian pathology lab which had 43,000 pathology reports on individuals leaked publically. The person that built the lab’s security system was entirely unequipped. We see this all the time with SQL injection as well.
Every time we see SQL injection exploited, very often with major international companies, it’s because someone screwed up the code.
Why is it common for large companies to have these types of errors?
There are a number of factors. One is that companies are always very cost conscious, so they’re always trying to do things on a budget in terms of the development cost.
What that often means is they’re getting underskilled people. It doesn’t really cost anything more to build code that’s resilient to SQL injection. The developers building it have got to know how it works.
For example, if you’re offshoring to the cheapest possible rates in another country, you’re probably going to get inexperienced people of very minimal security prowess.
I think part of it also is there’s not enough acknowledgment that this is a serious risk. Companies generally don’t tend to take it seriously until after they’ve had a bad incident.
You can’t miss it. It’s all over the news every single day about different security incidents, but until it actually happens to an organization, the penny just doesn’t seem to drop.
How much does the cyber hygiene of end users have to do with security issues?
It has a lot to do with many of the issues. It doesn’t have anything to do with SQL injection because that is to do with the way the system is built. However, it has a lot to do with things like phishing attacks.
We’re talking about when the individual is opening suspicious mail. They’re falling victim to a well-crafted email which is asking them to enter their credentials.
In terms of personal cyber hygiene, we see a lot of credential-stuffing attacks where the system is compromised, usernames and passwords are taken, and the attackers go use those same usernames and passwords on other accounts because people have reused their passwords.
That is probably the single biggest thing we need to fix from a consumer perspective – good password practices. At the end of the day, we’ve still got a lot of digital problems to solve.
Interested in helping protect companies from cyber attacks? Explore your options in the Careers in Cybersecurity section to find out more about the field and how you can get the skills to succeed.