Verizon recently released its 2022 Data Breach Investigations Report, giving businesses vital insights into the state of cybersecurity around the world. Containing an analysis of over 23,000 incidents and 5,200 confirmed breaches over 15 years, Verizon attributes the number-one motive of cyberattacks to financial gain.
Almost four out of five breaches were attributable to organised crime seeking to extort businesses of hefty ransomware sums, backed by insurance pay-out.
Verizon has also estimated that there has been a 13% increase in ransomware breaches – this is more than in the last five years combined. Additionally, 82% of cyber breaches involved a human element, namely through stolen credentials, phishing, misuse or simply an error.
Verizon states that people continue to play a very large role in incidents and breaches alike. This year ,18% of clicked phishing emails are also said to come directly from a mobile phone, highlighting it as a weakness for business security. Verizon argues that its statistics highlight the importance of having a strong security awareness program.
It’s very clear that there is a desperate need for private businesses and public organisations to change their cybersecurity approach. Improving security awareness is good, but directly addressing a problem which has persisted uncontested for nearly two decades is better.
Systemic flaw in access process
There is a widespread belief in the cybersecurity community and media that the main cybersecurity problem is people. This is backed by research such as Verizon’s latest Data Breach Investigation Report, that found over 80% of cyber attacks and network breaches trace back to human errors over credentials, specifically credential theft and misuse.
However, that accusation is misplaced. Imagine if there is a road junction where over 80% of the accidents occur and people started blaming drivers, suggesting that they should be trained to drive better. What needs to change is the design of the junction, not the people.
Systemic use of weak and reused passwords
In all breaches, humans are always accused of using weak or reused passwords. This problem is actually not the individual’s fault. First of all, it is impossible to remember hundreds of random passwords like 9f64q3tfAT$Q£532W%. People should never have been put in this situation in the first place. But having no choice in the digital world, they had to resort to easy-to-remember passwords – sentences or patterns such as 123456 to make the process work for them.
Systemic breach of data privacy laws
Weak and reused passwords are not root cause of breaches. The biggest problem companies face happens when they allow employees to make their own passwords. When this occurs, companies have lost control of their keys, therefore of their data and network. If it is ‘not your keys’, it is not ‘your data’. That means companies can’t comply with data privacy laws, which can explain why data breaches are so common these days.
Systemic dismantling of resilience
On top of losing control of their access, In an attempt to decrease the number of passwords to be remembered, organisations have adopted single access (Single Sign On, Identity Access Management, Privileged Access Management), without realising this automatically takes down layers and obstacles for criminals, reducing the number of steps required once they step inside their network.
Having created a golden path for criminals to gain access, scan and locate the privilege needed to lock the entire network, they reduced by 94.34%.the overall time needed between initial access to ransomware – from over two months to 3.85 days between 2019 and 2021. In the same process, they have worsened the potential negative effect of any data breach by putting all their data in the same basket, accessible from an admin or privileged account.
More cybersecurity tools or training won’t solve the problem
Without solving their access security gaps, increasing budgets for cybersecurity tools or training won’t stop breaches or ransomware, just as putting more gadgets in a car and giving more driving lessons won’t stop road accidents if the infrastructure is built dangerously. There is no need to train people on password hygiene when they shouldn’t be creating and knowing company passwords in the first place. There is no need to train people on phishing when they can’t give away passwords they don’t know. There is no need to unplug the whole IT infrastructure when you suspect a breach, when every single system has a different password and there is no single access from where to lock or steal everything.
A shift in mentality
Over the last few years, the number of cyber attacks has been rising as cybersecurity budgets have increased, without many people asking why. Despite over 80% of breaches linked to human-based credentials, most of the cybersecurity budget was spent on infrastructure and system vulnerabilities, of which the majority remain undetected.
But now, massive risks of spillovers into the physical world have pushed people to demand a change in how cybersecurity is done. As an example, US National Cyber Director Chris Inglis recently asked the administration and federal agencies to ‘transform the way they approach and invest in cybersecurity’, as previous efforts have clearly ‘not worked’.
Why people should not make their passwords in the first place
Investing billions of dollars in cybersecurity won’t have an effect unless you can secure your doors. And it starts with not letting their employees control the access credentials to companies’ infrastructure and assets. When other people create the digital keys to your entire organisation, you lose both visibility and control over what happens to them.
Really, passwords are just keys
To be able to regain control of their passwords, companies need to treat passwords for what they are: keys. Just as a new employee starts a new job and receives the keys to the building and office, he or she received digital keys when starting a new job, not make their own.
The only difference between physical and digital keys is the absence of physical obstacle in the digital world. To steal physical keys, you need to be in close proximity with the keys. Digital keys or passwords can be stolen from anywhere in the world.
Encrypt your keys so they can’t get stolen
In the absence of physical obstacles to credentials theft, the most effective measure to protect the keys is to use the method to protect secrets: cryptography. Companies simply encrypt their access and distribute credentials to all systems to their users inside a secure place only each user can access. This logic solves over 80% of breaches.