There’s no doubt that 2021 will be one of the record books regarding data breaches. The Identity Theft Resource Center (ITRC) reported the total number of data breaches through September 30, 2021, had already exceeded by 17% the total number of events in 2020. The numbers can only go up due to recent zero-day vulnerabilities such as Log4j.
At the top of the list for data breaches in 2021 is the discovery of data collected by Cognyte. This hack resulted in five billion records being exposed and the discovery of personal data of some 700 million LinkedIn users that were being offered for sale on the Dark Web. Those breaches make the top 10 of all time regarding the number of records exposed.
It seems like just about any organization these days could find itself dealing with the fallout of a major data breach. A survey of 200 enterprises finds the top sensitive data exposure concerns organizations have right now are: application vulnerabilities (54%), broken authentication (44%), security misconfigurations (39%), insufficient logging and monitoring (35%), and injection (32%). Survey respondents also identified the Microsoft Kerberos unprivileged user accounts vulnerability known as MS14-068 as the most concerning their organization.
However, the survey also clarifies that prioritizing vulnerabilities is an inexact science. More than three-quarters of respondents (78%) said high-priority vulnerabilities identified by third-party sources should be ranked lower based on the impact they are likely to have on their organization. More than 80% of respondents said they would benefit from increased flexibility to prioritize vulnerabilities based on their particular risk environment, including gut feeling.
Despite the fines and penalties that governments worldwide might inflict, organizations don’t seem to be changing how they manage data despite a raft of security concerns. The smartest thing any organization can do to reduce the number of breaches they might need to respond to is cut back on the amount of sensitive data they are storing
Organizations tend to store more data than they need, especially in spreadsheets that end-users tend to populate with personally identifiable information (PII). The only thing that usually stands between a cybercriminal and that data is an easily compromised password. Organizations that tend to hoard data are, in many instances, their own worst cybersecurity enemy.
It’s hard to say with certainty what 2022 will bring beyond the fact that cybersecurity attacks will increase volume and sophistication. However, suppose organizations keep doing the same thing they did in 2021 and expect a different result. In that case, as Albert Einstein noted, the one thing we will have achieved in 2021 is a new level of cybersecurity insanity.