Top four causes of cybersecurity breaches

If it seems like cyberattacks have gone from bad to worse lately, the statistics agree. A number of sources reported that the past year set new records for both the volume and cost of security breaches¹. Some of the most compelling evidence yet comes from a recent study that analyzed the cybersecurity investments, practices, and performance of 1,200 prominent organizations around the world.² The study’s findings are summarized in a wide-ranging report entitled “Cybersecurity Solutions For A Riskier World,” published earlier this year. Among the report’s conclusions: the average number of cybersecurity incidents disclosed by participating organizations increased by 15.1% in 2021. And “material breaches”—defined as “those generating a large loss, compromising many records, or having a significant impact on business operations” leaped by a whopping 24.5%.

The study doesn’t just document the mounting toll that malicious activity is taking on organizations. It digs deeper, delving into the root causes that make breaches possible—and that’s where things get really interesting. The four causes cited most often by affected organizations were:

• Human error
• Misconfigurations
• Unknown assets
• Poor maintenance/cyberhygiene

What’s remarkable about this list is that all of these issues are the result of internal factors. They all stem from actions—or inactions—on the part of the organizations themselves. This is a critical observation. While the threat landscape has exploded and malicious activity has surged in recent years, these worsening external conditions do not by themselves account for the rise in breaches. Cyber-attacks ultimately depend on bad actors’ ability to exploit pre-existing security weaknesses—weaknesses arising from errors and oversights inside organizations.

Such errors and oversights are increasingly commonplace these days as companies struggle with rapid technological change, soaring complexity, chronic talent shortages, an uncertain economic climate, supply chain problems, and other disruptions. As the report states, “the advance of digital transformation—and the growing reliance on cloud, open systems, IoT, and other technologies—requires organizations to rebuild their IT infrastructures and platforms. That creates greater room for mistakes in configuration and maintenance and complicates adherence to best practice frameworks.” In addition, the helter-skelter networking of unprotected or under-protected operational technology (OT) devices is creating all sorts of new security gaps.

While that sounds dire, there’s a silver lining in the study’s findings. If the ultimate causes of breaches are internal, as the study makes clear, then so are the remedies. Threat actors may have upped their game, but organizations still have an ace in the hole. By avoiding the mistakes and eliminating the blind spots that make breaches possible, they can dramatically improve security, slash the risk of serious incidents, and mitigate the impacts of incidents that do occur. And happily, there are tools built expressly for that purpose. Skybox policy and change management solutions, for example, can take processes that were previously error-prone, haphazard, and resource-intensive and make them rigorous, reliable, and efficient.

Let’s take a closer look at the four main causes of breaches and see how Skybox solutions address them.

Cybersecurity breach reason #1: Misconfigurations

Study respondents not only cited misconfigurations as a leading cause of breaches, but also as a problem likely to increase in the next two years. As the report explains, “Misconfigurations across applications, systems, platforms, and servers—and neglecting to put new default settings in place—can create dangerous pathways for hackers.”

Configuration changes—whether you’re updating firewall rules, deploying new devices, adding new segments to existing networks, or modifying other settings—are a constant fact of life in network administration. Larger organizations may need hundreds of such changes per week. Errors such as invalid configurations or delays in implementation can lead to serious security holes. Such mistakes happen for a wide variety of reasons, ranging from individual slip-ups (entering the wrong information or misunderstanding the type of configuration needed, for example), to inadequate governance (such as lack of rigorous approval or review processes), to inefficiencies that impede timely execution (cumbersome manual procedures that result in delays and backlogs).

Skybox Firewall Assurance, part of our Security Policy Management platform, can help avert all of these scenarios: It can review the configurations in place in firewalls, audit access rules, and gauge the risk. It does this automatically, rapidly identifying potentially hazardous configurations and providing the context needed to understand and remediate them. Automation eliminates the human element, offloads staff, and makes the whole process fast, reliable, and cost-effective. Skybox Network Assurance (also part of our Security Policy Management platform) can further assist by automatically assessing the state of the network and ensuring that firewall configurations comply with network policies.

While Skybox Firewall Assurance and Network Assurance can help you find and fix existing misconfigurations, Skybox Change Manager helps prevent new misconfigurations from creeping in during change cycles. Change Manager orchestrates firewall change management workflows, evaluates impacts and risks of proposed changes, validates policy compliance, and enforces proper review and approvals. It does all this automatically, ensuring rigorous, efficient, and timely execution, slashing change cycles by days or weeks.

Cybersecurity breach reason #2: Unknown assets

Unknown assets are a perennial problem in both IT and OT domains. Poor documentation, rapid ad-hoc deployment (especially with iOT), and shadow processes leave flying blind. It’s hard to defend what you can’t see, and without complete visibility into their attack surface, many organizations are unaware of vulnerabilities and weaknesses that offer soft targets for cyber attacks.

Skybox Network Assurance can help you find rogue devices and legacy equipment that have fallen off the radar—including assets that are difficult or impossible to scan (like many OT devices). It does this by pulling configuration data from firewalls and network devices (load balancers, routers, switches, access points), along with data from asset repositories such as CMDB or SCCM patch management tools, as well as other sources such HPNA and SolarWinds repositories. This data is automatically normalized and combined in a comprehensive network model. The model not only provides a holistic picture of known assets; it also reveals blind spots where undocumented assets may be hiding (i.e., gateways and interfaces where unknown devices may be connected) and where further exploration is warranted.

Cybersecurity breach reason #3: Human error

To quote the report, “Our research reveals that human error is still a main cause for more than a third of breaches now, and it will continue to rise over the next two years.” To err is human, after all, and mistakes are endemic wherever people are involved. Errors happen for all sorts of reasons, including individual mental lapses, miscommunications, and inadequate training. All of this is exacerbated by severe time pressures and staffing/talent constraints.

While human errors may seem like a permanent fact of life in organizations, Skybox policy management and change management solutions can minimize them in several important ways.

• By replacing fallible human actors with highly reliable automated mechanisms.
• By providing governance that helps people avoid mistakes in cases where human inputs are required, and helps ensure that mistakes are corrected before they go live. Skybox Firewall Assurance and Change Management, for example, keep key personnel aware of areas in need of review and audits—things that when moving at speed, might otherwise be overlooked.
• By enforcing access rules and network segmentation policies that limit the potential damage caused by some types of human errors (e.g., when end-users fall for phishing scams or open infected attachments).
• By dramatically improving the speed and efficiency of processes such as change management, enabling staff to give their full attention where it’s most needed and ensuring that important updates and fixes are implemented in a timely fashion.

Cybersecurity breach reason #4: Poor Maintenance/Cyber hygiene

As the report states, “Overwhelmed and under-resourced security teams often let hygiene slip: poor maintenance remains a nagging issue and potential cause of breaches in many organizations. Currently, 15% of entities are just starting to install proper maintenance processes, and another 45% are only now beginning to make progress.”

Poor maintenance may result from inadequate or poorly designed processes, or it may stem from an inability to execute well-designed processes owing to staffing shortages and/or other resource issues. Whatever the cause, the consequences are the same: misconfigurations, vulnerabilities, and other weaknesses (e.g., outdated and overly permissive access rules) are allowed to fester and accumulate, putting the organization at increasing risk.

The solution is a combination of automated checking and rigorous governance to ensure that rules and configurations are optimized and compliant with policies on an ongoing basis. As described above, Skybox Firewall and Network Assurance products are designed to do just that: collecting data from firewalls and network devices, validating rules and configurations, identifying risks, orchestrating reviews and other critical actions, and keeping key personnel informed and on task. In addition, Skybox’s comprehensive vulnerability management solutions can identify vulnerabilities in need of patching (including vulnerabilities that aren’t detectable with scanning alone). With automated, systematic policy and vulnerability management in place, organizations have to rely on tribal knowledge, sticky notes, and other error-prone and labor-intensive methods that have made it so hard to maintain cyber hygiene in the past.

Stopping breaches at the source

By addressing breaches at the source, and nipping them in the bud, organizations can take control of their destiny and push back against increasingly well-equipped threat actors. While the report describes an alarming rise in breaches overall, it also reveals how a select subset of organizations, using tools and best practices described above, are successfully fighting back. Those leading-edge organizations—that took what the report calls a “risk-based approach” experienced far fewer incidents and breaches over the last two years than did the average company surveyed in the study. Many risk-based leaders had no breaches at all. That’s a remarkable testament to the benefits of a proactive, prevention-oriented security posture.

Citations

1. “Data Breaches Break Record In 2021,” CNET, Jan. 24, 2022. “Businesses Suffered 50% More Cyberattack Attempts Per Week In 2021,” Dark Reading, Jan. 11, 2022. “2021 Cost of a Data Breach Report,” IBM, July 28, 2021. “Corporate Cyberattacks Up 50% Last Year, Cyber Security Intelligence,” Jan. 18, 2022.
2. “Cybersecurity Solutions For A Riskier World,” Thoughtlab, May 2022.