There’s no doubt at this point that in terms of data breaches 2021 will be one for the record books. The Identity Theft Resource Center (ITRC) reported the total number of data breaches through September 30, 2021, had already exceeded by 17% the total number of events in 2020. The numbers can only go up from there thanks in part to recent zero-day vulnerabilities such as Log4j.
At the top of the list for data breaches in 2021 is the discovery of data collected by Cognyte, a cybersecurity analytics firm, that resulted in five billion records being exposed and the discovery of personal data of some 700 million LinkedIn users that were being offered for sale on the Dark Web. Both those breaches make the top 10 of all time in terms of the number of records exposed.
Ere but for the grace of Providence, it seems like just about any organization these days could find themselves dealing with the fallout of a major data breach. A survey of 200 enterprise IT and security professionals conducted by the research firm Pulse on behalf of Vulcan Cyber, a provider of a cyber risk management platform, finds the top sensitive data exposure concerns organizations have right now are application vulnerabilities (54%), followed by broken authentication (44%), security misconfigurations (39%), insufficient logging and monitoring (35%), and injection (32%). Survey respondents also identified the Microsoft Kerberos unprivileged user accounts vulnerability known as MS14-068 as being the most concerning to their organization.
The survey, however, also makes it clear that prioritizing vulnerabilities is an inexact science. More than three-quarters of respondents (78%) said high-priority vulnerabilities identified by third-party sources should actually be ranked lower than they are based on the impact they are likely to have on their organization. Conversely, more than two-thirds of respondents (69%) also noted lower-ranked vulnerabilities should be ranked higher. More than 80% of respondents said they would benefit from increased flexibility, including gut feeling, to prioritize vulnerabilities based on their particular risk environment.
Despite the fines and penalties that might be inflicted by governments around the world, organizations don’t seem to be changing the way they manage data despite a raft of security concerns. The smartest thing any organization can do to reduce the number of breaches they might need to respond to is cut back on the amount of sensitive data they are storing. Organizations tend to store a lot more data than they need, especially in spreadsheets that end-users tend to populate with all kinds of personally identifiable information (PII). The only thing that usually stands between a cybercriminal and that data is a password that is easily compromised. Organizations that tend to hoard data are in many instances their own worst cybersecurity enemy.
It’s hard to say with any certainty what 2022 will bring beyond the fact that cybersecurity attacks will increase in both volume and sophistication. However, if organizations keep doing the same thing they did in 2021 over again and expecting a different result then as Albert Einstein noted the one thing we will have definitely achieved in 2021 is a new level of cybersecurity insanity.