Data breaches grew in cost and impact in 2022, with a staggering average cost of $9.44 million per breach in the U.S. alone, according to IBM. With new incidents hitting the news almost every day, it’s vital for organizations to understand existing risks to company and customer data.
At Nira, we chronicle these data breaches weekly to identify patterns and learn how to mitigate their repercussions. Here are the 10 main patterns we found:
1. Forty-five percent of breaches occur in the cloud
According to IBM’s annual study on data breach costs, nearly half (45%) of breaches occur in the cloud. When asked in a separate study what percentage of their sensitive data was stored in the cloud, 66% of experts said 21-60%. However, only a quarter of these professionals confirmed they could adequately classify all cloud-based data. Respondents also reported an increase in attacks affecting cloud data and applications, with 26% saying there was an increase in malware, 25% in ransomware, and 19% in phishing attacks.
2. Phishing attacks and social engineering are still major pain points
According to IBM, phishing was the costliest initial attack vector in 2022 with an average cost of $4.91 million per breach. We saw this in multiple breaches this year including incidents at Twitter, Twilio, Dropbox, and security giant Cisco. Threat actors used voice phishing (vishing) where they conducted fake phone calls pretending to be from IT departments and convinced employees to give them confidential data. They also employed smishing (SMS phishing) tactics where they tricked employees into sharing their company login information through text messages. Often, emails and texts from hackers redirected employees to fake phishing landing pages where they unknowingly gave up their credentials.
3. Social engineering can happen to anyone, even experts
Social engineering and phishing attacks happened so often this year, that it led some to question whether employees knew enough about security. However, even the most seasoned security professionals were the victims of social engineering scams. CEOs and higher-level professionals were also targeted, and many took the bait. According to data from AlienVault, half of C-level executives will become victims of phishing attacks at their companies.
4. Multi-factor authentication is critical, but it’s not foolproof
Although implementing multi-factor authentication is an important step to staying secure, it’s not infallible. Threat actors are constantly finding new ways to bypass MFA, often through phishing schemes, like the ones we highlighted above. Most security experts suggest using MFA to secure company data, and cybercriminals are preying on that advice by stealing login information and one-time authentication codes. To combat this, companies like GitLab, are rolling out WebAuthn adoption as part of their security hygiene programs.
5. Most data breaches are not malicious and happen because of accidental errors and misconfigurations
We found time and again that most data breaches this year were not the fault of shadowy hackers or disgruntled employees, but were the result of everyday mistakes that can happen to anyone. In fact, nearly 80% of access risk incidents were caused by human error.
6. But mistakes and misconfigurations still cause massive damage
Although most data breaches were not malicious, they still caused major problems for companies. Negative impacts included media leaks that resulted in erosion of stock prices or damage to the brand. Theft of trade secrets leading to litigation and the revelation of company code were also huge issues. But the most damaging effect could be the loss of customers’ personal data, which led to embarrassing public admissions, expensive cleanups, and failed customer trust. Not to mention lost sales and stalled growth. These incidents also hurt IT and Security teams, who can spend months of valuable time investigating breaches, patching vulnerabilities, and dealing with compliance issues.
7. Employees use their personal accounts to store work credentials and information more often than you’d think
One mistake we saw this year from employees, contractors, and vendors alike was accidentally using their personal email accounts to share or create company files and store work credentials. For example, in May, Cisco was breached after an attacker gained control of an employee’s personal Google account where the employee’s company credentials were stored in its browser.
Over half of employees (52%) admit that they or a coworker have accidentally added their personal account to company documents, and 51% said they accidentally created a document for work using their personal email account. This can cause a multitude of problems for IT and Security teams who don’t have any visibility into employees’ personal accounts and can’t mitigate risks on files shared or created with them without special tooling.
8. Over 80% of security breaches are due to weak or stolen passwords
Personal email accounts often have inadequate password protections, bringing us to another issue we saw this year: weak and stolen passwords. According to LastPass, a company that was also breached twice in 2022, 81% of data breaches are due to weak or stolen passwords. And according to data from Digital Shadows, a staggering 24,649,096,027 account usernames and passwords were exposed by threat actors in 2022 alone. As seen in this year’s breach at Fast Company, an organization that allegedly used the password “pizza123” across multiple employee accounts, not using strong passwords can lead to damaged reputations and costly cleanups.
9. Credential theft continues to be a problem for IT/ Security teams from all industries
The use of stolen or compromised credentials remained the most common cause of data breaches this year, according to IBM. Stolen or compromised credentials were the primary attack vector in 19% of breaches in 2022, and also the top attack vector in IBM’s previous 2021 study. These types of breaches had an average cost of $4.5 million and also boasted the longest lifecycle; it took an average of 243 days to identify the breach and another 84 days to contain it.
Credential theft continues to be a major issue across industries and company sizes. When it comes to employees and contractors, companies should ensure that they have the least number of access privileges needed to do their jobs, while a robust access control system will help mitigate risks.
10. Forming a culture of security can reduce risk
We learned this year that most breaches are due to accidental errors, and issues can also be caused by social engineering. We’ve often heard that employees need a robust security training program and that this will eliminate risk. However, although we are huge proponents of employee education, we also know errors can happen to anyone and even the best scam prevention experts can be scammed. So, what’s the solution? Customers and mentors tell us that it hinges on creating a culture of security in organizations.
We operate under the notion that employees want to do the right thing when it comes to information security, but they don’t always have comprehensive visibility into risks or adequate tools needed to fix issues. IT and Security teams also don’t always have tons of administrative time to spend on employee education, and the lessons learned at a yearly training can quickly be forgotten in a sea of other tasks that take priority.
When it comes to a potential data breach, companies want to be proactive, rather than only reactive. This means alerting employees to risks that really matter and avoiding false positives. It requires IT teams and employees to have comprehensive visibility of issues and then be able to take swift action to fix them. It needs a level of automation so IT and Security admins are not constantly stopping their own work to reach out to employees or to investigate issues. Reducing risks takes multiple teams and departments working together using the right solutions. To learn more about the tools we use to empower employees, visit here.
At the end of 2022, we learned quite a bit from the weekly data breaches we covered. Here are our top eight tips for Security and IT professionals:
Top Eight Tips for IT and Security Teams
- Invest in security for cloud collaboration tools and environments
- Be aware of social engineering and know it can happen to anyone
- Multi-factor authentication is crucial, but you need other protections
- A data breach may not be malicious, but prepare to deal with massive damages anyway
- Don’t store, create, or share work credentials and files with your personal email accounts
- Avoid weak, recycled passwords
- Use an access control system to mitigate risk
- Form a culture of security and give employees the right tools