Data breaches have been plaguing organizations for years, and the numbers continue to climb. After a breach, an organization goes into survival mode—trying to recover data, reestablish trust, and ensure they can keep their business running. It’s understandable that there isn’t much leisure time to sit back and reflect on what could have been done differently. So we’ve done the work for you, laying out some simple lessons learned from the many breaches we’ve observed over the past few years, as well as ways they can be avoided.  

1. Careless employees provide the easiest access.

Over the years, the simple technique of phishing has worked to trick countless people into downloading malicious software or giving away their credentials. And as long as this method keeps working, attackers will continue to use it readily. In fact, according to the Verizon Data Breach Investigations Report, 94% of malware deliveries are completed through a phishing email of some type. This makes employees the most dangerous threat to an organization. Even if a security team is able to do a thorough investigation post breach, discovering that the breach began with a phish may only result in a single employee being retrained, written up, or terminated.

However, systemic changes can be made, beginning with regularly deploying phishing simulation using social engineering pen testing services or tools. These simulations send out phish that are similar or identical to those being used by real attackers, but allow you to safely identify what type of phish are most effective, and who is susceptible to these attacks. This enables you to pinpoint exactly what type of retraining is needed to ensure your employees are more vigilant.

Additionally, while you may not be able to eliminate this risk, even if threat actors get access to an employee’s credentials, there are still ways to manage insider threats. For instance, you can take preventative action to minimize risk by making sure you are following the principle of least privilege, using identity governance solutions to limit employee’s access to only what is needed. That way, just because an account is compromised doesn’t mean that an attacker has unlimited keys to the kingdom. 

Risk can be further minimized by monitoring for unusual user behavior, so that compromised accounts are quickly spotted. A security information and event management (SIEM) solution can alert you in real time to abnormal activity like changes to user profiles and system values, invalid login attempts, or intrusion detections. While organizations may not be able to prevent every phish from remaining unopened, that doesn’t mean there aren’t plenty of ways to effectively manage this unavoidable risk. 

2. Any endpoint can be an attack vector.

The very things that are streamlining and advancing our businesses are also putting us at risk. Smart technology is evolving at breakneck speed—but unfortunately, antivirus solutions specific to those devices has not yet caught up to it. This makes everything—security cameras, video conference units, HVAC systems, MRIs, CT machines, ATMs, SCADA systems, and countless other devices—a perfect doorway for threat actors looking for a way into an organization’s infrastructure. A number of breaches just in the last few years have traced the origin of attack to one of these types of endpoints.

What’s truly distressing about these types of attacks is that these devices may go unnoticed if an organization does not have a network monitoring solution that can provide visibility for performance issues, outages, bandwidth, and any other changes in the network. With no way of seeing abnormal activity, this means that not only can they serve as attack vectors, they can remain infected for any given amount of time. For instance, many targets of ransomware attacks had been infected months before they received a ransom note. These persistent threats exacerbate the risk to the organization, and also make these devices ideal targets for threats not just looking to steal data, but processing power, like botnets.

So if there is no anti-malware for these types of devices, what can be done to reduce the risk that they pose? Focus needs to be less on prevention, and more on detection. Discovering threats as soon as possible is the best way to minimize damage. Advanced threat detection solutions monitor every type of device, confirming infections in real time so that you can act quickly and drastically reduce dwell time.

3. Large servers are a high value target.

Even those devices that do have antivirus as an option aren’t always properly protected. As mentioned earlier, attackers aren’t always looking for data to steal, they’re increasingly looking for processing power to borrow. Naturally, the best place to find it all in one location is from the servers of large enterprises. Increasingly sophisticated malware strains like Norman or PowerGhost and botnets like Smominru have focused in on large IT environments, targeting them for cryptojacking, leeching their power to create cryptocurrency.

While attackers are deliberately attacking servers, many of these breaches still could have been avoided. Unfortunately, many organizations still rely too heavily on scanning their workstations, not thinking of their server as its own entrance point. If server-side antivirus isn’t skipped altogether, it may still be getting inadequate protection. Servers are typically on a different operating system from those workstations—like Linux, AIX, or IBM i. Attempting to scan your server with a Windows solution is not only unreliable, it can also add additional security concerns. Pairing workstation antivirus with a native solution for your servers builds the most robust malware defense by providing multiple layers of security.