recent

‘Climate capitalism’ can help scale green solutions

New leadership and management thinking from MIT experts

Use imagination to make the most of generative AI

Credit: Rob Dobi

Ideas Made to Matter

Cybersecurity

MIT report details new cybersecurity risks

By

Despite rigorous security efforts by all organizations, cybercriminals are still finding new ways to exploit personal and business data. Data breaches increased by nearly 20% in the first nine months of 2023 compared with all of 2022, and ransomware attacks escalated by almost 70% in the same time frame.

In fact, data breaches hit an all-time high in 2023 — a trend fueled by increasing online interactions that put personal data in the crosshairs of criminal activity, according to MIT professor 

Organizations aren’t unaware of heightened cybersecurity risks. In fact, cybersecurity has escalated from an IT-level discussion to a C-suite and boardroom issue, with worldwide spending on security and risk management projected to hit $215 billion in 2024, according to research firm Gartner. Yet hackers are finding more creative ways to bypass security measures, motivated by the troves of unencrypted personal data being collected and stored in enterprise systems, said Madnick, the co-founder and co-director of Cybersecurity at MIT Sloan.

Once hackers realize an organization is vulnerable to an attack, they will repeatedly attempt to breach its network, he said. In fact, 95% of organizations surveyed by IBM between March 2022 and March 2023 said they had experienced more than one data breach.

“Most companies are aware of the threat and are doing things to improve security, but the bad guys haven’t stayed still either,” Madnick said. “You have to think beyond what you did for protection last year.”

In a new report, Madnick identifies three primary reasons behind the latest uptick in personal data theft: misconfiguration of cloud environments, the emergence of new and more dangerous types of ransomware, and increased exploitation of vendor systems (an attack vector sometimes referred to as a supply chain breach).

Three main cyberattack vectors

Madnick and his team have identified three scenarios contributing to the recent increases in the frequency and impact of personal data breaches.

80%

More than 80% of data breaches involved data stored in the cloud, according to a 2023 report.

Cloud misconfiguration. Companies have been migrating data and core systems to the cloud in droves, to the point where an estimated 60% of corporate data now resides in the cloud. Yet the technology is still evolving, and many IT organizations don’t have employees experienced in the nuances of the cloud configurations and procedures required to properly secure data. According to the IBM survey, more than 80% of data breaches involved data stored in the cloud. Cloud misconfigurations, such as failure to change default settings, unrestricted ports, and unsecured backups, are just some ways hackers are gaining access to cloud-based data and services, Madnick said.

Organizations can mitigate misconfiguration vulnerabilities by addressing security early in the build cycle of systems, hiring or developing the right talent and skill sets to configure a dynamic cloud environment, and conducting proper audits and monitoring.

The evolving and growing threat of ransomware. Ransomware attacks, where hackers take control of institutional data and demand a ransom in exchange for its return, have become more common and are changing in nature. Historically, companies hit by ransomware faced operational outages and had their corporate data locked up. Today, it’s become standard for bad actors to also steal personal data collected and stored by organizations, and to take aggressive actions such as threatening to leak stolen consumer data on the dark web — essentially adding blackmail to their ransom attacks.

Madnick said that more sophisticated ransomware techniques, including those incorporating artificial intelligence and cooperative efforts by ransomware gangs, are contributing to the rise in ransomware attacks. Ransomware-as-a-service, essentially a “productized” version of malware that’s available to bad actors, is also driving up attacks.

Diligent data backup and restore practices remain important protection tools for corporate data. Organizations also need to monitor for and stop any data exfiltration from internal systems and embrace encryption practices so stored data is not useful to attackers, Madnick said.

Vendor exploitation attacks. All the vendor-provided mission-critical accounting, inventory, and customer management systems used by companies also offer a way into corporate systems (something Madnick refers to as a “side door”). These side doors allow vendors to provide regular updates and patches, but attackers can exploit vulnerabilities in the vendor’s systems to reach customers using those services — a vector known as a supply chain attack.
 

Related Articles

Cybersecurity plans should center on resilience
How to build a culture of cybersecurity
How to respond to a ransomware attack

A single unpatched vulnerability in one vendor’s software allows hackers to gain access to the personal data of many organizations across the globe that use that vendor’s software. In one example cited in Madnick’s report, hackers exploited a vulnerability in the MOVEit managed file transfer software that affected over 2,300 companies in more than 30 countries. As a result, more than 65 million individuals’ data had been compromised as of October 2023.

To avoid or minimize damage from this scenario, Madnick recommends using specialized companies to evaluate the cybersecurity health of any vendor being considered as a partner. It’s also important to take steps to minimize vendors’ side-door capabilities by limiting their access to only what’s required.

Other recommendations for companies from the report include the following:

  • Limit the amount of personal data stored in a readable format.
  • Adopt solutions that implement end-to-end encryption to reduce the amount of stored vulnerable data that presents risks to individuals.
  • Don’t be an ostrich — acknowledge the severity of the current landscape, invest in the right tools, and educate the broader employee base on cybersecurity responsibilities accordingly.

“There’s very little you can do to guarantee you’re not a victim, but there are a lot of things you can do to be more secure that aren’t being done,” Madnick said.

Read the report: “The Continued Threat to Personal Data — Key Factors Behind the 2023 Increase”

For more info Sara Brown Senior News Editor and Writer