While the news sensationalizes cyber threats from bad actors and nation states, the reality is that the largest threat to organizations are their own employees and contractors. Humans are vulnerable and prone to fall victim to schemes aimed at gaining access to company networks. For their part, the hackers are sly and cunning and know how to take advantage of a weak link. When organizations take the initiative to learn about common data breach scenarios, they can better prepare and protect themselves.
The Verizon RISK team recently published a report, the Data Breach Digest, outlining the most common data breach scenarios. Threats can come from within an enterprise—including third-party vendor partnerships—as well as outside of it. Here is an overview of five scenarios the RISK team investigated, all of which demonstrate how data breaches can be caused by manipulation of individuals’ actions and emotions.
1. Social Engineering
In an example of this scenario, a company rival e-mailed a chief design engineer. The e-mail masqueraded as a recruitment device, including an attachment with job openings. However, when opened, the attachment installed malicious software that was able to access classified design plans for a new piece of equipment. With these plans in hand, the rival was able to produce a copycat product, and the victim lost intellectual property.
2. Financial Pretexting
Financial pretexting generally involves manipulating human emotions in order to gain access to highly sensitive financial information. In this particular case, a banking organization learned that someone had attempted to wire more than $5 million through FedWire. While the attempt failed because of built-in protective measures, the perpetrator managed to gain access to company functions through e-mailing an employee. This employee, a regional manager, received an e-mail ostensibly from the company’s CIO, complementing her. She clicked on a hyperlink in the e-mail, which initiated the installation of malicious software. In this case, the software not only scraped data, but was also capable of initiating wire transfers through the computer.
3. Digital Extortion
Extortion works by demanding that victims pay a ransom in order to recover data, unlock computers and devices, or even gain back control of the network. This form of cyber attack represents a growing threat. For one manufacturing and retail company, an extortion attack began when a member of the IT team received two e-mails claiming to have several years’ worth of customer transaction data. After validating the threat, the company revamped its e-commerce platform and publicly admitted that two million customer records had been compromised.
4. Insider Threat
Insider attacks are less common, but can be devastating. These attacks rely on trusted employees or contractors who have privileged access to network data. Verizon reports that the majority (63%) of data breaches over the previous three years involving "insider and privilege misuse" were financially motivated. The majority of other cases involve disgruntled employees and revenge. In one example given, a company in the middle of a buy-out received a tip that a middle manager was accessing and abusing the CEO’s email account. Ultimately, investigators discovered that the manager was working in concert with an IT administrator to access the CEO’s email account by taking advantage of the spam filter.
5. Partner Misuse
Business partners and trusted vendors are essential for business, but unscrupulous partners can be disastrous. One oil and gas company experienced a data breach at the hands of a partner gas station company. Several computer systems at the gas station were able to access the parent networks, and one employee was ultimately found responsible.
Protecting Your Organization
These sobering scenarios suggest that companies must be on alert for data breaches caused by humans—whether accidental or intentional. Here are some steps companies can take to protect themselves:
· Provide employee education on common social engineering methods.
· Thoroughly vet all business partners.
· Use multi-factor authentication for sensitive data and systems.
· Monitor all networks and limit privileged access