Last year, 4.1 billion user records were exposed during Jan-June alone: how’s that for data protection? Can we do better today?
As the past several years have shown, any ideas of absolutely protecting data in an established organization are already outdated. Bad actors with vast amounts of knowledge or resources are creating effective, scalable attacks on small-, medium-sized and large organizations and their connected individuals.
Not to sound too dramatic, but … at some point, we have to acknowledge the sheer reality that protecting yourself completely against these attacks might be an impossibility.
1. Your company’s defenses are only as strong as those of its least tech-savvy team members
There is always a weak human link in your organization. Sooner or later, phishers or social engineers will find that weak link and exploit it to gain access to your data. All it can take to compromise your company’s systems is a single employee absent-mindedly clicking an infected email attachment or granting remote access to a social engineer impersonating “Bob, that guy from IT.”
Countless organizations have been compromised as a result of successful phishing attacks. In fact, that is how 91% of cyberattacks begin. Of course, training the team to spot potential cyberattacks is more necessary than ever. However, employee education isn’t a foolproof solution – you cannot train people to be 100% vigilant in 100% of situations, which means it is only a matter of time until your organization’s data vault is breached due to human error.
2. If an organization or a government really wants to hack you, they can
It is just a matter of how much time and resources they are willing to invest. Most organizations and individuals will not be able to win a technical showdown with a particularly determined adversary.
Whether it is a competitor-sponsored hacker attempting to breach your product development database, a self-replicating botnet launching a DDoS attack so massive it can take down the likes of Facebook and Twitter, or a Kremlin-backed cyber hit squad tasked with sowing political chaos in the US, defending against competent attackers is becoming a near impossibility.
3. Data breaches and leaks can come out years after the fact, and it’s likely you’ve already been impacted
Remember the Marriott (Starwood) data breach back from 2018? Yes, the one where 500 million customer records—including names, addresses, and passport numbers—were exposed and probably sold on a darknet marketplace many times over. Well, the breach actually began in 2014, and attackers had unauthorized access to user data for four years.
Many individuals and organizations think their data is safe, but the most successful breaches are those that go undetected. For years on end.
4. Patches and fixes are reactionary and cannot prepare for new threats
Whenever a software vulnerability is discovered, it has usually been already exploited by cybercriminals far more than once. Tomorrow, many new and undiscovered threats will emerge in the wild, and it will be some time until they are detected, and the software is patched.
In this constant game of whack-a-mole, threat actors have an inherent advantage—namely, the fact that time and initiative are always on their side, and security updates are reactionary in nature.
What is even worse, these countless updates can become a vulnerability—some of those security patches are not tested over the long-term and can actually end up creating more holes, in addition to those they are intended to fix.
5. Ever-increasing convenience means more of our data is being collected in fewer locations
Free Wi-Fi, one-click sign-ins, integrated tools, Facebook Pay, and similar little comforts make our life easier, at the cost of making us more vulnerable than ever. They collect our data (whether actively or passively), and they all have known and unknown vulnerabilities.
For an attacker, it is far easier to access the data on such tools than to access bank information or your servers. This means that hackers have a massive treasure trove of services that all hold data about you or your company.
And those post-GDPR prompts to accept cookies on every single website if you are based in the EU? It might only be a matter of time until we accept a trojan or two while mindlessly trying to click away another annoying pop-up.
Start to love incident response planning
Even though protecting data forever might be more difficult than ever, dealing with what happens after a breach still matters.
As more businesses come to terms with the fact that breaches are becoming inevitable, preparing procedures for such eventualities becomes just as important as trying to prevent a crisis from happening.
Post-breach measures like incident response planning, cyber insurance, and cybersecurity communications are slowly gaining popularity across the business landscape, which is a clear sign that a prevention-only approach is no longer enough. Why? Because it is no longer effective.
You do not have to embrace the eventual demise of your cybersecurity strategy, but you definitely should plan for it. Starting today.