22 billion breaches in 2021
Today one of the most valuable exchange goods on the global market is data: sensitive, business and personal information, trends, tastes, opinions, financial information.
As the European Commission has repeatedly pointed out, data is the raw material of the digital single market.
According to Fabio Pompeio and Alessandro Alongi in the Italian book “Diritto della privacy e protezione dei dati personali. Il GDPR alla prova della Data driven economy” (“Privacy law and data protection. The GDPR put to the test of the data-driven economy”), “More things happen online in a minute than in a whole day in real life: millions of emails travel from one side of the earth to the other, as many photos, videos and comments are posted on social networks, search engines index information, hundreds of thousands of users download content, documents and information from the web and, according to data from the last few years, $751,000 is spent online.”
At the end of an average day, the two authors write, “there are 42 billion messages on WhatsApp, 150 billion emails and 66 billion photos on Instagram. Record numbers, unthinkable a few years ago, and only possible today thanks to the Internet, the web and the enormous capacity that modern machines have to process data and information. Meanwhile, Facebook defines who we are, Amazon, what we want and Google, what we think. Above all, the giants of the web define our reputation, considering that it is mostly reconstructed on the interpretation of the traces we leave during our interactions on the web, as well as on the basis of data available about us.”
All this information is subsequently used for commercial purposes, to send us personalised advertising, but also to establish profiles that insurance companies or potential employers or anyone else who might be interested in information about us will be able to access. And that therefore have a substantial economic value.
This, however, is a level that we are all more or less aware of by now and which we can therefore manage, if only we decide to do so. In short, being invisible today is very difficult, but it can still be done.
The breach and theft of data
There is, however, a much more insidious level and that is the actual breach and theft of data.
In 2021, according to the report of the US company, Risk Based Security, 22 billion pieces of data were hacked,which probably ended up on dark web markets to be sold to the cybercriminal community who, in turn, use them to devise cyber attacks, including identity theft, business email compromise (BEC) and infection with ransomware. To put it simply, data is the foundation of online crime, to the extent that, according to experts, without it, hackers would not have been able to get their hands on the $1.5 trillion in revenue made in 2019.
According to the Data Breach Investigations Report – DBIR 2022 – the four main methods used by hackers for this purpose are: theft of credentials, phishing, exploiting vulnerabilities and Botnets.
The theft of credentials
According to the DBIR 2022, since 2017, there has been a 30% increase in stolen credentials. Having your login credentials, such as username and password, stolen is tantamount to opening the door wide to criminals and handing over company, personal and bank account data to them.
This also applies to employees who do not have responsible roles but more “lateral” ones. For the hacker, the goal is to enter the corporate network, no matter where they enter it from.
A very common mistake that can have detrimental consequences is, for instance, sharing your password or reusing it for several accounts. A very common mistake, as detected by a Google survey, according to which 52% of people reuse passwords for multiple accounts.
Phishing
Phishing is at the top of all rankings for personal data theft. It’s the most popular system for cyber criminals, experts in social engineering, and, at the same time, the one that claims the most victims. This is because phishing in all its forms and manifestations (phishing, spray-phishing, spear-phishing, smishing and vishing) is the direct route into an organisation. Even ransomware, which was previously only used for financial extortion, is now being used to steal data.
And the challenge is getting tougher as not even two-factor authentication can give us a good night’s sleep. Hackers are getting more and more creative and are finding new ways to circumvent this type of protection as well.
Exploiting vulnerabilities
Phishing and credential theft often exploit vulnerabilities that always lead to the usual coveted loot: data theft. Software vulnerabilities are common. CVE Details, which maintains a database of them, recorded more than 20,000 vulnerabilities in 2021, any one of which could potentially allow a hacker to exploit the vulnerability and take control of an application to steal data or install malware. In short, there is still much to be done on this point.
Botnet
A botnet, a word formed from the terms “robot” and “network”, is a network of computers controlled by a botmaster and composed of devices infected with malware known as bots or zombies. The criminals who control it manage it remotely to carry out cyber attacks with various objectives: the sending of phishing emails, malware and/or the execution of a denial-of-service attack. All of this can be part of a broader data theft objective.
According to SpamHaus, in the fourth quarter of 2021, there was a 23% increase in botnet activity.
The human factor
Different types of breaches that have the same origin: the human factor, the real weakest link in the chain. According to the DBIR 2022, 82% of the violations originate from a human error. It is precisely “the people who continue to play a very important role in both accidents and breaches“, it reads.
It is, therefore, necessary to take action on the human element, raising people’s awareness, educating them, training them and enabling them to respond promptly to the threats that arrive and will continue to arrive, ever more numerous and ever more aggressive, from the web. The solution, therefore, has only one name and surname: effective and quality training.
In order to prevent cyber harm, which can have very serious consequences, companies must choose training platforms that rise to today’s challenge: to ensure that their organisations are immune from attacks and always ready to defend themselves effectively. To achieve this, each employee must master a correct digital posture and be ready to recognise and handle any type of attack.
Only this represents a real obstacle for hackers and can guarantee effective and lasting protection for the entire company.