Last month, news broke that Ticketmaster had fallen victim to a catastrophic data breach, with personal information from 560 million customers held for ransom.
Only days earlier, the BBC confirmed a breach that left data from 25,000 current and former employees exposed. As the prevalence and sophistication of data breaches grow, so does public awareness of the issue. Phrases like ‘data breach’ might once have been consigned to security teams in backrooms, but have now become household phrases – evidenced by the popularity of Netflix’s recent documentary, on the infamous Ashley Madison data breach.
Unfortunately, it’s not a matter of ‘if’ another huge data breach will occur – it’s simply a matter of when. Today organisations of all sizes, not just the big players, have a ticking time bomb on their hands with the potential to detonate their brand reputation and destroy customer loyalty.
How can companies get ahead of falling victim to ‘the next big data breach’?
Why do data breaches occur?
We can trace most data breaches back to one of a few initial causes. In most instances, data breaches are carried out by hackers – who can be lone operators or acting as part of an organised ring. These hacks are usually financially motivated, with those responsible stealing credit card numbers, bank accounts and other financial information – or selling stolen personally identifiable information (PII) on the dark web.
The global average cost of a data breach is rising according to IBM – there’s an estimated $4.45 million at stake – and with it, the incentive for cyber criminals to carry out such attacks is also rising. The scale of impact from just one single data breach can be immense. One of the largest data compromises within the last year involved MOVEit, a file transfer software tool, had an estimated 72.7 million victims.
Big players like Ticketmaster, BBC and Ashley Maddison are understandably a prime target for hackers seeking financial gain, but attacks of this kind can impact anyone. It ultimately comes down to how much friction cyber criminals will encounter when targeting a particular organisation, their goal being to reap the greatest reward with the least amount of effort.
Due to a lack of dedicated cybersecurity teams and finite financial resources to allocate to protective measures, small organisations will often prove easier to successfully infiltrate when compared to the average big player.
The potential reward from a single attack may be smaller, but hackers can combine successful attacks against multiple SMEs to match the financial gain of successfully hacking a large organisation, and with far less effort. SMEs are therefore increasingly likely to fall victim to financially crippling attacks, with 46% of all cyber breaches now impacting businesses with fewer than 1,000 employees.
How are these attacks carried out?
One common attack vector is stolen or compromised credentials – gained via brute force attacks. Another is gaining access to a target network by exploiting weaknesses in websites, operating systems, endpoints, APIs and common software. When hackers locate a vulnerability, they can then plant malware in the network.
For both forms of attack, the rate of success has been significantly accelerated by the use of bots by cybercriminals in recent years. Bots can be used to overload networks at a much faster rate for brute force attacks, and probe websites for weaknesses that can then be exploited at a superhuman rate.
A sign of the rising costs associated with cyber breaches is the increase in cyber insurance premiums from 2023 to 2024. For larger enterprises, having comprehensive cyber insurance is now widely seen as a cost they have to incur in order to do business. For smaller organisations, the ability to absorb the increased cost of cyber insurance will always be more difficult to balance.
How every breach starts
What all breaches and attacks have in common is the initial scanning of possible victims, be it targeted scanning for high profile and high volume companies or just broad scanning across the internet.
The very first step in any attack chain is always the use of tools to gather intelligence about the victims systems, version numbers of (not patched) software in use and insecure configuration or programming. Any hacker, whether a professional or amateur, is using scanning bots or relying on websites like Shodan.io, generating an attack list of victims with vulnerable software. Anything you operate with internet connectivity is highly likely to have been scanned at least once within the last 24 hours.
Getting ahead of the breach
All organisations, from SMEs to multi-billion pound companies like Ashley Maddison and Ticketmaster, must ensure they’re not an easy target for hackers. As the attack on Ashley Maddison demonstrated, the ramifications of a successful attack often go far beyond financial consequences if users of your website have entrusted you with their data. It’s the organisation’s individual responsibility to deliver on the promise to adequately protect its users’ data.
The fewer resources SMEs have at their disposal to build resilient web infrastructure, the greater their chances of becoming a target. But that doesn’t mean that a strong resistance – enough to deter hackers – can’t be created.
Resilient web infrastructure can be built in a number of different ways. Constructing the right toolkit is a good starting point. This includes using data security tools to apply encryption, putting incident response plans in place, improving employee training, and adopting more rigorous approaches to web traffic management to keep malicious traffic off your website before it can ever strike.
Finally, it’s important to remember that it ultimately comes down to strategy, not resources. Even the big players, like Ashley Maddison who had all the resources in the world to prevent a hack, still fell down. The fatal flaw will always be pretending the risk doesn’t exist. The ‘next Ashley Maddison’ may be right around the corner, but by taking the time to identify specific vulnerabilities and devise a strategy to safeguard them against hackers, it’s far less likely to be your organisation hitting the headlines next.