Businesses experiencing data breach last year

The Facts of Data Breaches

Sophos released a rather chilling report this week highlighting several problems in 2019 cybersecurity for businesses. Being breached, it would seem, is no longer the exception, but the rule. They uncovered that 68% of companies were victims of cyber-attacks that lead to data breaches.

The breakout between large and small organizations may be more surprising. 73% of companies with over 1000 employees experienced a breach. 63% of those with less than 1000 employees experienced a breach. That may come as a shock to those who think they are too small to be a target.

What are the reasons behind these numbers?

  • Large companies may seem to be larger targets because they are more lucrative. This may be true. They are also more aware of threats and generally have better security measures. Smaller businesses are softer, easier targets.
  • This only accounts for organizations that were aware they experienced a data breach. Most small businesses can experience a data breach and remain compromised. This leads to extended periods of time without even knowing their data is being stolen.
  • Many data breaches are the result of automated attacks spraying the internet. These attackers are looking for low hanging fruit that is east to breach. These drive-by attacks don’t consider who the target is, they look for anything they can get into. Small businesses are particularly vulnerable to these types of attacks. Small businesses lack awareness and have improper on non-existent security programs. They often rely on unqualified outsourced IT providers to protect them and do not have unbiased third-party verification of the security they provide. These providers most likely provide no real security.

The survey only accounts for those that knew about their data breach and admitted it on the survey. The actual numbers are likely to be much higher. This is especially true for small businesses. They most likely don’t know they are victims of an ongoing data breach.

It turns out, the average number of data breaches within the past year by those who were victims of a cyber-attack was 2. If you were the victim of a data breach, you are more likely to be breached again. That’s not the kind of repeat business any company is looking for. Hackers are more than happy to re-engage with you on their next project.

If you were the victim of a data breach, you are more likely to be breached again.

This could be for several factors including:

  • Ongoing weaknesses are not properly addressed.
  • The original breach was not mitigated and remediated. This happens when businesses rely on inexperienced resources to combat the attack. The same IT services that set up and maintain your network should not be the ones securing and testing.
  • Data breach information exchanged on dark web alerts more attackers to your security problems.

These problems are best addressed by using a qualified cybersecurity firm to help guide your security program.

How are Breaches Discovered?

Most threats were only discovered once the attacker reached the server. This is an interesting find. Conventional IT wisdom assumes the servers are safe because users are not logging into them. IT tends not run to install anti-virus on servers. Instead, they rely on their perimeter security to keep the environment safe. This is unfortunate since evidence indicates perimeter security is failing. In fact, only about 17% were detected on endpoints. Attacks typically start on endpoints. Companies aren’t aware until they reach the server. This means attackers are likely in the environment for some time. Attackers are accessing data on end user computers and setting up back door entries. Those back doors are another reason for the increase in repeat data breaches.

The damage is intensified since IT managers can’t say how long their data breach occurred. Not seeing the attack from the beginning causes problems. It is difficult, if not impossible, to identify the weak point on the perimeter. No visibility requires extensive forensics to gain a better understanding of the attack. Many businesses will see that as too costly. They opt to sweep that under the rug. This violates notification laws and increases the risk of the business failing.

This is preventing them from fixing the holes since they don’t even know what the holes are.

What does all that mean? It means IT managers are making security decisions, without having all the facts. This is worse for those relying on third-party IT services who may not be honest about their errors. This is preventing them from fixing the holes since they don’t even know what the holes are.


How are Businesses Responding to Discovered Data Breaches?

The average time to discovery was 13 hours for those that did discover the data breach.  During that time, the hackers are free to steal sensitive data the business might have on its network.

Other data breach reports indicate attackers have access for months prior to detection. 13 hours is most likely wishful thinking by businesses who could not identify the start of the attack.  They don’t know the truth if they are going by when server detection alone. The fact they admitted to a data breach at all is remarkable. The true numbers are most likely far worse. Again, this is leading to making security decisions with only partial data.

Small and medium sized business lack the tools and expertise to determine the true threat to their organization. They don’t know what and how long the threat had access to their environment. IT services providers are not helping them by hiding the truth. Hiding their own shortcomings while being a single provider to the client is doing an incredible disservice.

Why are teams struggling to plug holes?

IT teams can’t plug the gaps in security because they don’t know what those gaps are. Relying on general IT knowledge leaves a large hole in the knowledge base a company needs to understand their security posture. Not understanding security prevents the business from seeking quality improvements. One in five IT managers are unaware of how their most damaging cyber-attack gained access to the organization. As a result, they can’t possible figure out what gaps in their security lead to the breach. This would be like having your family doctor perform brain surgery. Specialized demands need specialists. It is that simple.

Instead of examining a data breach, small businesses focus on clean up. Not having examined the network before the breach is not helping either. Instead, they go back to catch-all solutions on top of existing measures while not knowing what exactly is needed. Often layering the same solution types on top of one another and wasting money.  IT providers do not do any better.  Cyber criminals know this. Small businesses are easy targets because of their inability to identify security holes. Businesses without adequate resources are spending an average of 41 days investigating non-issues. IT operations are suffering as a result. This costs the business time and money. A seasoned consultant could better manage security and keep those investigation times lower. This will let IT focus on what it does best.


Admit need for better security

80% of respondents admit they need better response to potential cybersecurity threats. They need better expertise engaged within their organization. Yet they misidentify the skillsets required and don’t look to outsourced solutions. Oftentimes misled by their own IT staff or outsourced IT provider. The big secret is IT teams and external providers don’t like independent audits. They are afraid security holes discovered by a security consultant will reflect poorly on them. A good security provider seems to work with them, not against them.

they misidentify the skillsets required and don’t look to outsourced solutions.

However you decide to protect yourself, one thing is certain. It is no longer an exception to be the victim of a cyber-attack, it is the rule.

Your Cybersecurity Future Starts Today

Shades of Gray Security can work with you and your budget. We make sure you are doing what you can to secure your data and protect your interests. Our Managed Security Services can help you fill in the gaps. We can audit your environment and manage your security program and systems. We offer training for employees to be able to identify suspicious activity and emails, and what to do in the event a data breach occurs. Contact us today for a free consultation and find out how we can help.


However you decide to protect yourself, one thing is certain. It is no longer an exception to be the victim of a cyber-attack, it is the rule.


Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and tips on how to be secure in today's digital world.

You have Successfully Subscribed!