5 steps to deal with the inevitable data breaches of 2023

Cyberattackers are stepping up the pace of attacks by out-innovating enterprises, making large-scale breaches inevitable in 2023. In the last two months, T-Mobile, LastPass and the Virginia Commonwealth University Health System have all been hit with significant breaches. 

Thirty-seven million T-Mobile customer records were compromised in a breach the U.S.-based wireless carrier discovered on January 19 of this year. Password management platform LastPass has seen multiple attacks leading to a breach of 25 million users’ identities. VCU uncovered a breach earlier this month where more than 4,000 organ donors and recipients had their data leaked for more than 16 years.  

Breaches: The fallout of failed perimeter defenses 

Breaches result when cyberattackers find new ways to evade perimeter defenses, allowing them to access networks undetected and infect them with malicious payloads, including ransomware. Perimeter defenses’ many failures are often cited by enterprises that have lost millions and even billions of dollars to successful attacks. One of the biggest challenges in stopping data breaches is that different factors can cause them, including human error as well as external attacks. These variations make it difficult for perimeter-based security systems to detect and stop breach attempts. Equally troubling is the fact that dwell times are increasing to nearly nine months. 

Even with increased cybersecurity spending, breaches will surge in 2023  

CEOs and the boards they work for are correctly seeing cybersecurity spending as a risk containment and management strategy worth investing in. Ivanti’s State of Security Preparedness 2023 Report found that 71% of CISOs and security professionals predict their budgets will jump an average of 11% this year. Worldwide spending on information and security risk management will reach a record $261.48 billion in 2026, soaring from $167.86 billion in 2021. The troubling paradox is that ransomware, and more sophisticated attacks, keep succeeding despite these ever-growing cybersecurity and zero-trust budgets.

The balance of power leans towards cyberattackers, including organized cyber-criminal groups and advanced persistent threat (APT) attack groups. Studying an organization for months and then attacking it with a “low and slow” strategy to avoid detection, cyberattacks are increasing in sophistication and severity. The attacked organizations are too dependent on perimeter-based defenses, which the most advanced cyberattackers devise new ways to breach. Ivanti’s study predicts that this year will be challenging for CISOs and their teams, with increasing ransomware, phishing, software vulnerabilities and DDoS attacks.”Threat actors are increasingly targeting flaws in cyber-hygiene, including legacy vulnerability management processes,” Srinivas Mukkamala, chief product officer at Ivanti, told VentureBeat. 

Kevin Mandia, CEO of Mandiant, said during a “fireside chat” with George Kurtz at CrowdStrike’s Fal.Con event last year, “I’ve been amazed at the ingenuity when someone has six months to plan their attack on your company. So always be vigilant.” 

Operations are the attack vector of choice 

All it takes is one exposed threat surface, or a bypassed perimeter defense system that relies on decades-old technology, for an attacker to shut down supply chains and demand huge ransoms. Often, the softest target yields the largest ransomware payouts. Operations is a favorite for cyberattackers looking to disrupt and shut down an organization’s business and supply chain. Operations is an attractive target for cyberattacks because core parts of its tech stacks rely on legacy ICS, OT, and IT systems optimized for performance and process control, often overlooking security. 
TheA.P. Møller-Maersk cyberattack, followed by attacks on Aebi Schmidt, ASCO, COSCO, Eurofins Scientific, Norsk Hydro, Titan Manufacturing and Distributing, Colonial Pipeline and JBS show the particular vulnerability of operations. Stuxnet, SolarWinds and Kaseya underscore this too.

Steps organizations can take to deal with breaches

“Start with a single protect surface … because that’s how you break cybersecurity down into small bite-sized chunks. The coolest thing about doing that is that it is non-disruptive,” advised John Kindervag, an industry leader and creator of zero trust, during a recent interview with VentureBeat. Kindervag currently serves as senior vice president of cybersecurity strategy and ON2IT group fellow at ON2IT Cybersecurity. 

Senior management must embrace the idea that protecting one surface at a time, in a predefined sequence, is acceptable. In an interview during RSA, Kindervag provides guardrails for getting zero trust right. “So, the most important thing to know is, what do I need to protect? And so I’m often on calls with people that said, ‘Well, I bought widget X. Where do I put it?’ Well, what are you protecting? ‘Well, I haven’t thought about that.’ Well, then you’re going to fail.” In his interview with VentureBeat, he stressed that zero trust does not have to be complex, expensive and massive in scope to succeed. He added that it’s not a technology, despite cybersecurity vendors’ misrepresentations of zero trust.

Audit all access privileges, deleting irrelevant accounts and toggling back admin rights

Cyberattackers combine business email compromise, social engineering, phishing, spoofed multifactor authentication (MFA) sessions and more to fatigue victims into giving up their passwords. Eighty percent of all breaches start with compromised privileged access credentials.

It’s common to discover that contractors, sales, service and support partners from years ago still have access to portals, internal websites and applications. Clearing access privileges for no-longer-valid accounts and partners is essential.

Safeguarding valid accounts with MFA is the bare minimum. MFA must be enabled on all valid accounts right away. It is no surprise that it took an average of 277 days — about nine months — to identify and contain a breach in 2022.

Look at multifactor authentication from the users’ perspective first

Securing every valid identity with MFA is table stakes. The challenge is to make it as unobtrusive yet secure as possible. Contextual risk-based analysis techniques show the potential to improve the user experience. Despite the challenges to its adoption, CIOs and CISOs tell VentureBeat that MFA is one of their favorite quick wins because of how measurable its contributions are to securing an enterprise with an added layer of protection against data breaches.

Forrester senior analyst Andrew Hewitt told VentureBeat that the best place to start when securing identities is “always around enforcing multifactor authentication. This can go a long way toward ensuring that enterprise data is safe. From there, it’s enrolling devices and maintaining a solid compliance standard with the Unified Endpoint Management (UEM) tool.”

Forrester also advises enterprises that to excel at MFA implementations, consider adding what-you-are (biometric), what-you-do (behavioral biometric) or what-you-have (token) factors to legacy what-you-know (password or PIN code) single-factor authentication implementations.

Keep cloud-based email protection programs updated to the latest versions

CISOs have shared with VentureBeat that they are pushing their email security vendors to strengthen their anti-phishing technologies and execute zero-trust-based control of possibly dangerous URLs and attachment scanning. Leading vendors in this area use computer vision to recognize URLs to quarantine and eliminate.

Cybersecurity teams are shifting to cloud-based email security suites that offer integrated email hygiene functions to turn this into a quick win. Paul Furtado, VP analyst at Gartner, in the research note How to Prepare for Ransomware Attacks [subscription required], advised to “take into account email-focused security orchestration automation and response (SOAR) tools, such as M-SOAR, or extended detection and response (XDR) that encompasses email security. This will help you automate and improve the response to email attacks.”

Self-healing endpoints are a strong line of first defense, especially in operations

From the supply chains they enable to the customer transactions they fulfill, operations are the core catalyst that keeps a business running. Their endpoints are the most critical attack surface to secure and make more cyber-resilient.

CISOs need to replace legacy perimeter-based endpoint security systems with self-healing endpoints that deliver more cyber-resilience. Leading cloud-based endpoint protection platforms can monitor devices’ health, configurations, and compatibility with other agents while preventing breaches. Leading self-healing endpoint providers include Absolute Software, Akamai, BlackBerry, CrowdStrike, Cisco, Ivanti, Malwarebytes, McAfee and Microsoft 365. Cloud-based endpoint protection platforms (EPPs) provide an efficient onramp for enterprises looking to start quickly.

Track, record, and analyze every access to the network, endpoints, and identity, to spot intrusion attempts early

It is essential to understand how zero trust network access (ZTNA) investments and projects can be beneficial. Monitoring the network in real time can help detect abnormalities or unauthorized access attempts. Log monitoring tools are very effective at recognizing unusual device setup or performance issues as they occur. Analytics and artificial intelligence for IT Operations (AIOps) help detect discrepancies and connect real-time performance events. Leaders in this area include Absolute, DataDog, Redscan and LogicMonitor.

Absolute Insights for Network (formerly NetMotion Mobile IQ) was launched in March of last year and shows what’s available in the current generation of monitoring platforms. It’s designed to monitor, investigate and remediate end-user performance issues quickly and at scale, even on networks that are not company-owned or managed. It also gives CISOs increased visibility into the effectiveness of ZTNA policy enforcement (e.g., policy-blocked hosts/websites, addresses/ports, and web reputation), allowing for immediate impact analysis and further fine-tuning of ZTNA policies to minimize phishing, smishing and malicious web destinations.

Facing the inevitability of a breach creates cyber-resilience

One of the most effective approaches organizations can take to prepare for a breach is to accept its inevitability and start shifting spending and strategy to cyber-resilience over avoidance. Cyber-resilience has to become part of an organization’s DNA to survive a breach attempt.

Expect more breaches aimed at operations, a soft target with legacy systems that control supply chains. Cyberattackers are looking for ransom multipliers, and locking down operations with ransomware is how they’re going about it.

The steps in this article are a starting point to get better control of operations-based cybersecurity,. They are pragmatic steps any organization can take to avert a breach shutting them down.