J.S. Held Strengthens Forensic Accounting and Financial Investigations Expertise and Expands Suite of Services in Canada with Acquisition of ADS Forensics
Read MoreIf your company suffered a data breach, wouldn’t it be at least a bit comforting if you knew it was because an army of criminal geniuses had spent months trying to penetrate your fortress-like defenses?
Imagine the effort they must have gone through. They’ve tried every form of phishing, spearphishing, smishing, vishing, and whaling. They’ve sent fake printer and HVAC engineers to try to penetrate the data centers. They’ve tried to get their spies recruited to work in sensitive positions. They’ve bribed and blackmailed. And their dozens of hoodie-wearing hackers have been frenziedly typing ones and zeroes into their terminal windows (because that’s how hacking works, apparently!).
Then at least you’d know that you didn’t really stand a chance. At least you’d still be able to hold your head up high.
What would be somewhat less comforting would be to discover that you weren’t really hacked at all; that the army of criminals barely had to try. The data just appeared before them, and all because of the one word that crops up again and again when you read about data breaches:
According to Verizon’s recently released Data Breach Investigations Report, 17% of data breaches were caused by ‘errors,’ the largest part of which is misconfiguration. This might not sound like a lot, but it’s double what it was last year, and second only to hacking as a cause of breaches.
Even way back in 2018, the IBM X-Force Report found that in the preceding year there was a “424 percent jump in breaches related to misconfigured cloud infrastructure, largely due to human error.”
Here are a few recent examples:
There is a long list of things you can do to prevent human error from splashing your data all over the internet, but I’m going to condense it to just three main points:
Know your data
Make no assumptions
Almost every day, there’s a news story about a company that should know better carelessly exposing personal data on the internet. Clearly in most cases they either didn’t know the databases were there, or they made assumptions about availability and access.
Given the harm that can be done to people and businesses by criminals who would make use of the data, this is utterly inexcusable.
Don’t be one of those companies that gets caught because you don’t try to find out what you don’t know.
We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.
Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.
Kevin can be reached at [email protected] or +1 843 890 8596.
In Part II of addressing cyber claims challenges, we identify gaps in coverage and quick fixes for a smoother claims process....
A Virtual Chief Information Security Officer (vCISO) can be a cost-effective solution to AI cyberattacks....
To safeguard our digital lives, both the "inside out" security approach and the “outside in” prevention approach are needed....