The high-profile data breach that hit Saks and Lord & Taylor was already eclipsed just days later when news of possible similar attacks at Best Buy, Delta and others hit headlines. While details of the most recent incidents continue to surface, analysts are still looking at the Saks breach, initiated when the retailer’s owner, Hudson’s Bay Company, was targeted.
Gemini Advisory, which first identified the breach at Hudson’s Bay, suggests human error was to blame: An employee likely clicked on a malicious link sent via a phishing scam.
The incident, and similar breaches, reveal the limitations of cybersecurity, even as corporates worldwide continue to increase their investments in the latest-and-greatest security technologies.
Estimates from Gartner, Inc. last December pegged global spending on cybersecurity by corporates will hit $96.3 billion this year, an 8 percent increase from last year. Gartner research director Ruggero Contu cited high-profile attacks, like the Equifax breach, as a key motivator behind this spend.
“Overall, a large portion of security spending is driven by an organization’s reaction toward security breaches as more high-profile cyberattacks and data breaches affect organizations worldwide,” Contu stated when Gartner released its report.
Despite the billions of dollars that businesses spend to safeguard their systems, data breaches continue to occur.
Part of this trend is due to the fact that, just as cybersecurity technologies are evolving every day, cyberattackers’ tactics are similarly changing to adjust to more sophisticated defenses.
“Cybercrimes, a perpetrator can do it in the comfort of their own homes, and just the speed at which technology is moving enables fraudsters to often get the upper hand,” said PricewaterhouseCoopers national forensics leader Domenic Marino in an interview with Global News earlier this year after PwC released new research on small business cybersecurity.
But this trend is also due, in part, to the fact that technology today only goes so far to address cyberthreats. Technology can identify potential malicious links, but if an employee decides to click on it anyway, a cybersecurity system can only do so much to protect the enterprise. Likewise, cybersecurity tools are limited when stopping other employee behaviors that lead to data breaches, like sending credentials or money to bad actors and fraudulent accounts.
According to PwC, 47 percent of fraudsters outside of the enterprise are considered “frenemies” – that is, they have a preexisting relationship with the targeting company as a partner, supplier, service provider or customer. That means employees at the targeted firm are more likely to trust that bad actor and comply with directions that may lead to a data breach.
The latest data from IBM, published last week, indeed found that human error is to blame for most data breaches on the cloud.
The company’s “2018 IBM X-Force Threat Intelligence Index” found that human error helped cloud-related cyberattacks see a 424 percent jump year-over-year in 2017.
IBM warned that some of the most common human errors linked to data breaches involve “basic misjudgment.” This could mean an employee storing sensitive company data on a personal device, or workers falling for phishing emails that lead to a data breach, business email compromise, malware or account takeovers.
“To err is human,” IBM said in its report. “Unfortunately, the lasting effects of a simple mistake in a digital world can be catastrophic. When it comes to data security, the potentially detrimental impact of an inadvertent insider on IT security cannot be overstated.”
According to IBM, a shifting landscape of cyberattacks means greater threat exposure from the inside and a greater need for education, especially when human error comes into play.
Unfortunately, data from MediaPro published in 2016 found that employee awareness of anti-cyberattack strategies remains low. According to a survey of more than 1,000 employees across the U.S., 72 percent of professionals ranked as “Novice” in security awareness, while only 12 percent ranked as “Hero.”
“This survey clearly shows the human threat vector is still largely unsecured, and most organizations don’t really know whether their employees have the necessary level of data protection awareness to avoid preventable incidents,” said Steve Conrad, MediaPro’s founder and managing director, in an announcement at the time. “We invite more organizations and their employees to take this free survey to give them a clearer picture of their human-based risk areas.”
More recently, Dell found in its own survey that 72 percent of professionals admitted they would be willing to share sensitive, confidential or regulated information when prompted.
“When security becomes a case-by-case judgment call being made by the individual employees, there is no consistency or efficacy,” stated Dell VP of Endpoint data security and management, Brett Hansen, when the report was released last year. “These findings suggest employees need to be better educated about data security best practices, and companies must put procedures in place that focus first and foremost on securing data while maintaining productivity.”
IBM’s report emphasized the importance of education and awareness initiatives to combat the internal threat of employee cybersecurity ignorance.
“Throughout the past year, it became clear that threats are just as imminent from within as they are from external sources,” the company warned in its report. “Inadvertent insiders were found to be a major issue for security teams to reckon with, stressing that enterprises’ cybersecurity awareness programs need to keep pace with the changing landscape and provide continued role-based training for all employees.”