Why data breaches have become ‘normalized’ and 6 things CISOs can do to prevent them

Every week, a new data breach threatens business organizations around the world, necessitating a reevaluation of cybersecurity strategies to protect consumers. In recent months, we’ve seen major breaches at companies like 23&Me, Okta, United Healthcare, and American Express, putting incredibly sensitive consumer data at risk. There was one between 2022 and 2023 20% increase in data breaches. And with Microsoft, Roku and many other companies that already suffered data breaches in the early months of 2024, this unfortunate trend shows no signs of slowing down.

The Okta breach, which affected all of their customers due to an employee using a personal Google profile on a company laptop, underscores the critical role of the human element in cybersecurity. According to the Verizon DBIR 202474% of all breaches involve the human element, involving people through mistakes, abuse of privilege, use of stolen credentials or social engineering.

The continued role of human error in cyber breaches is a clear sign that cybersecurity training as an audit approach has been categorically failed in the marketplace. The Okta incident is a stark reminder of the vulnerabilities that can arise from seemingly innocuous behavior, such as logging into a personal account on a work device, which can violate established security policies. With this in mind, it is critical that CISOs and their teams ensure employees are aware of these vulnerabilities, in addition to building a system that can withstand breaches.

What should be on CISOs’ priority lists (if they aren’t already)

Here are six things CISOs should focus on in 2024 to protect their organizations from the risk of a data breach:

1. Make use of one remote browser isolation (RBI) System to Reduce Human Error: The Okta breach is a classic example of how human error can lead to significant security incidents. Even the most robust security measures can be undermined by simple mistakes. Employees must be continuously informed about the risks of combining personal and professional digital activities. An RBI system can help alleviate these problems technically.
2. Implement one zero trust Strategy: A zero trust approach assumes that breaches can happen and verifies each request as if it came from an open network. Regardless of whether a request comes from inside or outside the corporate network, it must be authenticated, authorized, and encrypted before access is granted. This strategy limits the damage by requiring additional authentication before granting access to sensitive customer support systems.
3. Enforce and monitor IT policies: Companies should enforce and monitor policies that prevent the use of personal accounts on work devices. Automated tools should be used to flag and block such activity, and deviations and policy violations should be automatically enforced through policy controls. Policies are meaningless if CISOs neglect their enforcement.
4. Prepare incident responses: A quick and transparent response to breaches is critical. Okta reported the incident and took immediate action, which is an important step in managing the aftermath of a breach. Especially with the new SEC Disclosure RulesCompanies must be prepared to respond to breaches and report them immediately to the necessary parties.
5. Strengthen privileged access management (PAM): Strengthening PAM can ensure that even if employee credentials are compromised, access is limited and does not enable widespread exploitation. While the goal is to prevent breaches entirely, mitigating these vulnerabilities is critical to a successful response.
6. Strengthen endpoint security: It is essential to ensure that all endpoints are secure and cannot be accessed through compromised third-party accounts. Solutions that monitor anomalous behavior may have identified unusual activity due to the compromised credentials. Additionally, application controls and shielding are valuable in addressing these issues.

When it comes to regulations, compliance does not equal safety

It is also worth noting that despite the introduction of important regulations such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS), as well as the potential for high fines for non-compliance, indicates that these mechanisms have not had a dramatic impact on the security market.

For example, A study Research on the impact of GDPR infringement fines on the market value of companies found that while there was a statistically significant cumulative abnormal return of around -1% on average up to three days after the announcement of a fine, the negative economic impact on the market value was much greater than the monetary value of the fine itself. This suggests that the fines, while significant, were high not sufficiently punitive to motivate significant changes in the corporate behavior of large-cap companies. Furthermore, security breach announcements, which often result in fines and sanctions, resulted in only an average market value decrease of approximately 1% for the affected companies, indicating a relatively small financial impact given the potentially enormous scale of such breaches.

Although PCI DSS compliance aims to secure credit card information and carries penalties ranging from fines to revocation of card acceptance privileges, the effectiveness of these penalties as a deterrent is questionable. The threat of negative publicity and the business risk associated with non-compliance are well known, but breaches and compliance failures continue to occur. This tells us that the potential costs of non-compliance may not be seen as a significant threat to business, or that enforcement of these penalties is not consistent enough enforce compliance.

Simply put: compliance is not equal security. And to date, no significant fines or penalties have shown an impact on the market as a whole. These cases underscore a broader problem within the security market: while regulations and fines aim to motivate companies to better security practices and compliance, their actual impact, especially on large companies with significant resources, appears limited. The lack of significant punishment for overt failure, as evidenced by the minimal impact on market valuation and the ongoing data breach, points to the need to reevaluate the effectiveness of current compliance and punishment mechanisms.

The opportunity for security leaders to train their staff and improve their skills

While current regulations are not having the intended impact on the market, there are steps organizations can take to protect themselves, as noted above. When connecting with IT and cybersecurity leaders, discussions should focus on implementing zero trust principles in practice, balancing ease of use and security, and fostering a security-first culture among all employees to reduce the risk of human error. Additionally, exploring technologies such as behavioral analytics, AI-powered threat detection, RBI, and continuous authentication methods can provide further insights into building resilient systems.

As cybersecurity professionals improve their practices, so do the hackers behind data breaches. These attackers are finding new methods to break into systems at a rapid pace. However, if you do the simple things to prevent human error, you will ensure that hacking your system is a no-brainer. The recent ConnectWise vulnerability was described as “embarrassingly easy‘ to exploit, and these types of errors are simply unacceptable in 2024. Too many organizations are gambling on security, especially given the threats we face today.

Every day that passes without a cyber-trained workforce is a day when digital systems are at great risk. If CISOs can agree on doing the little things, and ensure that all employees are fully aware of the threats and the tools they have to combat them, we will see data breaches increase in both number and size will decrease. A proactive, informed approach to cybersecurity will be the cornerstone of defending against evolving cyber attacks in 2024, ensuring the security and integrity of global digital ecosystems and the consumers who use them.

Chase Cunningham (“Dr Zero Trust”) is VP of security market research at G2.