Judging by reports that come out of various tech industry publications, it looks like faulty software and back-end development problems cause most data breaches. Some of the most publicized incidents in recent months seem to revolve around these kinds of events. The numbers tell a very different story, however.
Researchers from Stanford University and a top cybersecurity organization found that approximately 88 percent of all data breaches are caused by an employee mistake. Human error is still very much the driving force behind an overwhelming majority of cybersecurity problems.
To make matters worse, many IS departments don’t have sufficient resources to educate individual staffers on the best way to manage their data on a network.
The Shocking State of Password Hygiene in 2021
Even though two-factor authorization and biometric security measures have become ubiquitous in the mobile sector, cybersecurity specialists feel that poor password hygiene is still behind many breaches. While users may not necessarily be picking passwords that are easily guessed or spoofed, they’re often using them for far too long. In a few cases, researchers have found that the average lifespan for passwords on some web services can be more than a year or two.
Few users want to routinely practice entering new credentials for each account they have, especially if they have more than 20 or so web logins to manage. Strangely enough, users who could take advantage of a built-in encrypted password manager often don’t. A majority of modern browsers will store passwords and encrypt them. That means users can set however long a password they’d like and change it as often as they want without having to remember it.
Despite that, many people sit on the same passwords for an extended period of time. If a data breach were to occur on one of their accounts, bad actors could potentially have access to these users’ entire online profiles. Nevertheless, most data breaches don’t start in such a dramatic fashion. Some occur when people simply give away access to some resource.
Small Mistakes that Lead to Big Breaches
IT managers who don’t configure an access control list are inviting bad actors to come and take control of their networks. While it can be tempting to store all of a site’s data in a publicly-accessible directory, it is like asking someone to steal information. Administrators also need to make sure that any old credentials for employees who no longer work in their business place get switched off. Any open account could easily be hijacked by an ex-representative who may want to spirit away their previous employer’s data.
Back in 2019, around 24 percent of all cyberattacks were caused by some form of ransomware. The tragedy here is that an overwhelming majority of ransomware applications used in these assaults took advantage of attack surfaces that were larger than they needed to be. Simply updating browsers and installing any hotfixes that software vendors slipstreamed out to end-users would have been enough to make a significant dent in that figure.
Developers are hard at work solving quite a few of the issues that allow these attack vectors to existing in the first place, but that means very little if people aren’t proactive about using them.
The Ongoing Failure to Take Advantage of Updates
To some degree, programmers have tried to create new tools that can solve some of the issues related to human error that have plagued the computer industry in recent years. Open-source development teams have been talking about a possible phase-out of third-party tracking cookies in the underlying code that powers most browsers, for instance. However, that means very little considering how many people neglect to replace old software. It’s gotten to the point where some specialists have suggested that vendors need to forcibly stop certain applications from working in the hopes of protecting users.
This seems like a heavy-handed approach, but it’s functionally an admission that data breaches are largely caused by individual consumers working in financial institutions and other sensitive facilities. Most IS departments continue to try and get the users under their control to do basic things, such as install an ad blocker on any mobile device attached to their corporate networks.
However, it seems like for the foreseeable future, data breaches will still be primarily caused by human error. Considering that there’s no real way to automate many types of workflows, the status quo will probably continue unless organizations can encourage wiser behaviors among every single person who works with them in every division.