Data is the lifeblood of today’s enterprises. No matter an organization’s size, specialization, or sector, its operations depend upon storing, handling, processing, and transmitting data.
What’s more is that much of the data that’s stored by your organization is considered sensitive and is therefore the target of data breaches and compromises. If your organization can’t secure your crown jewels adequately, it can prove to be a costly mistake.
According to the Cost of a Data Breach Report 2021, the average cost of a breach rose 10% from 2020 to 2021, reaching $4.24M USD—equivalent to about $160 per record. These costs were determined by accounting for the expenses of process-related activities across four cost centers:
- Detection and escalation: Activities that enable a company to reasonably detect the breach.
- Lost business: Activities that attempt to minimize the loss of customers, business disruption and revenue losses.
- Notification: Activities that enable the company to notify data subjects, data protection regulators and other third parties.
- Post-breach response: Activities to help victims of a cybersecurity breach communicate with the company and redress activities to victims and regulators.
Interestingly, the cost of a data breach is also impacted by variables such as maturity of the cybersecurity posture, adoption of remote work, and the use of ransomware:
- Costs were significantly lower for some of organizations with a more mature security posture, and higher for organizations that lagged in areas such as cybersecurity artificial intelligence (AI) and automation, zero trust, and cloud security.
- When remote work was a factor, costs increased by more than $1M.
- When ransomware was a factor, the average cost rose to $4.62M.
To avoid incurring the costs associated with successful data breaches, you must understand the risks associated with the sensitive data your organization has access to, which starts with recognizing what data you possess, and what TTPs attackers will employ to access it.
Once you understand this, your cybersecurity team can prioritize the protection of the data and attack vectors to ultimately reduce the probability of the data breach, avoid the associated potential loss, and reduce your overall risk profile.
What is sensitive data?
Sensitive data encompasses a wide range of information and records, including:
- Credentials used to authenticate a user or tool within an IT environment.
- Intellectual property and proprietary/non-public information, like patents, trade secrets, manufacturing processes, mergers and acquisition reports, investment research, or go-to-market plans.
- Personally identifiable information (PII), such as the full name, address, phone number, email address, social security number (SSN) or social insurance number (SIN), taxpayer information, financial information, and any other data that companies can store to identify a specific individual—whether they’re an employee, customer, or partner.
- Protected health information (PHI), including a patient’s medical history, demographic data, medical test and lab results, insurance coverage information, and other confidential data collected to identify an individual and administer proper medical care or related functions.
- Electronic protected health information (ePHI) refers to any of the above confidential health data that is stored, handled, or transmitted electronically.
In recent years, owing to the rise in cybercrime and data breaches, regulators have adopted clearer definitions of sensitive data, have tightened up the rules governing its processing, and have enforced penalties against organizations that fail to meet the requirements. For example, the European Union’s General Data Protection Regulation (GDPR) considers the following personal data to be “sensitive” and therefore subject to specific processing conditions:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
- trade-union membership;
- genetic data, biometric data processed solely to identify a human being;
- health-related data;
- data concerning a person’s sex life or sexual orientation.
While a subset of industries, such as healthcare, finance, and legal services, receive most of the attention (and generate most of the data breach headlines), the breadth of information that’s considered sensitive means that essentially every organization actually collects or processes it.
And that means practically every organization—no matter the size—is a target for data breaches.
Why value does sensitive data hold for cybercriminals?
Cyberattacks targeting sensitive data are widespread—but why is that the case? While it comes down to money, cybercriminals target sensitive data because it’s valuable to their operations both as a revenue source and as a direct enabler of malicious actions.
First, using ransomware attacks to make crucial information unavailable continues to generate impressive returns for cybercrime gangs, with the average ransom across all industries reaching $570,000 in the first half of 2021—an 83% increase over 2020.
Cyberattackers also routinely employ double- and triple-extortion tactics to compel their victims to pay to decrypt their files and data, but also to prevent the publication of PHI/PII—thereby possibly avoiding regulatory fines and keeping the event out of the public’s eye.
Second, whether the victim pays the ransom or not, the attacker may use the stolen data to advance their own activities and sell it on cybercrime marketplaces:
- Credentials are especially valuable for gaining initial access into, and performing intrusion activities within, an IT environment;
- Financial information is used to compromise bank accounts and commit wire transfer frauds;
- Employee information can be used for identity theft, to commit fraud, and to engage in longer, more complex operations like business email compromise (BEC) and highly targeted phishing scams
Unfortunately, the proceeds serve as fuel in the engine of cybercrime, self-funding extensive operations and ongoing research into new ways to victimize organizations. Leveraging this ecosystem of experts and ransomware-as-a-service reduces operational costs and accelerates the cybercriminals’ time to market, while leading to growing ransoms and ever-increasing revenue. Dropping operational costs and increasing revenue creates bigger profits, and cybercriminals will always follow the money.
Why are sensitive data risks growing?
Beyond the profit motive, there are two other reasons why the risks associated with sensitive data are growing: increased means and opportunity.
First, although cyberattacks are nothing new, cybercriminals continue to evolve their Tactics, Techniques, and Procedures (TTPs). For example, while ransomware attacks used to be opportunistic, today we see sophisticated operations that target high-value victims and combine automated elements with manual activities. The gangs behind these cyberattacks are organized, well-run, and even leverage role specialization to expand the reach and velocity of their campaigns. What’s more, the rise of ransomware-as-a-service and affiliate marketing models have made it even easier for new operators to break into the cybercrime market.
Second, the unfortunate reality is that cyberattackers have no shortage of attack vectors, due to a combination of factors, including:
- An increasingly complex and ever-evolving threat surface, which has been made even more vulnerable by the widespread adoption of working from home (WFH);
- A worrying surge in the number of zero-day exploits observed in the wild
- The third-party risk that results from today’s vast web of suppliers, partners, and service providers
- The ever-present human factor—many cyberattacks begin with a phishing email that delivers a malicious payload or to tricks the recipient into handing over credentials or other useful information.
How to secure sensitive data and reduce cyber risk
We live in a world where people constantly share personal information online giving threat actors endless opportunity and time to use personal data as a key that allows easy entry into a target network. So, when thinking about data security, it’s important to consider the probability of your traditional perimeter defenses being bypassed by hackers and how prepared your team is to protect against sensitive data theft.
Here are five recommendations for your cybersecurity team to secure your most sensitive data and reduce your cyber risks:
1. Adopt a risk-based approach
The foundation of any effective cybersecurity program is recognizing that cyber threats are business threats. For most organizations, the best way to direct scarce resources with the goal of reducing cyber risk over time is to adopt a risk-based approach to cybersecurity, rather than a maturity- or compliance-based approach.
To get started with a risk-based approach, organizations can perform a risk assessment to determine all the relevant factors that will shape their program: vulnerabilities, threats, industry factors, regulatory guardrails, and so on.
2. Understand (and quantify) your sensitive data risks
It’s also important to understand your sensitive data risks. While this may seem obvious, asking a few questions may lead to some surprising answers. For example:
- How does your industry or regulator define sensitive data?
- What sensitive data does your organization store and/or process?
- Where is the sensitive data stored?
- How is the sensitive data used?
- Who, including third parties, has access to the sensitive data?
- What systems have access to the sensitive data?
3. Prioritize Phishing and Security Awareness Training (PSAT)
Many devastating cyberattacks begin with a phishing email that tricks a user into helping the threat actor. To counter this threat, organizations should provide employees and extended team members with some form of Phishing and Security Awareness Training (PSAT) as an important element of their cybersecurity program.
Effective programs leverage realistic threat scenarios to foster context-relevant (e.g., tailored to your industry and organization) cybersecurity awareness—ultimately driving behavioral change that reduces your risk by building a culture of cyber resilience.
4. Reduce the attack surface
Reducing the cyberattack surface is a crucial element of making it harder for threat actors to break into your environment and a comprehensive vulnerability management program is a cost-effective way to do so.
A great program includes continuous awareness of the threat landscape (e.g., from advisories, notifications, cyber news, etc.), vulnerability scanning to understand which systems are inadvertently exposed, and disciplined patch management.
5. Be ready to respond
A study commissioned by eSentire shows that it takes a cyberan attacker only 20 hours on average to breach an IT environment, locate sensitive data, and exfiltrate it. That means organizations have very little time to stop an attacker who breaks in—and that’s why engaging an Managed Detection and Response (MDR) provider is so important.
MDR leverages multi-signal coverages of the attack surface to quickly identify cyber threats that bypass existing defenses, triggering a combination of automated and human-led response to contain threats before they can become business-impacting events.
Like money in a bank, data is the currency of cybercriminals. Given its high value and importance to both an organization and their customers, it’s easy enough to extract payments from victims of a data breach. Especially since this data can be sold in cybercrime marketplaces and employed in subsequent cyberattacks.
To learn how eSentire can help you identify and contain cyberattacks early in the attack chain and prevent attempts to exfiltrate sensitive data, book a meeting with us now.
