Although security incidents are nothing new for businesses across industries, cybersecurity is quickly gaining traction as one of the top concerns for organizations in 2022. Last year, we saw some of the most impactful security incidents in the history of cybersecurity-a trend that decision makers and industry leaders simply can’t ignore. In fact, a recent report reveals that 49 percent of CEOs surveyed are most concerned about cybersecurity risks this year.
So, what can your organization do about the rise in cybersecurity incidents?
In this article, we’ll take a closer look at security incidents in general, paying particular attention to cybersecurity incidents-what they are, the most common types, and how to prevent and mitigate them. Armed with this information, your organization will be better positioned to protect itself against future security incidents and to get started on the path toward worry-free cyber risk management.
What Is a Security Incident?
A security incident is any event related to compromised data resulting from nonexistent or failed protective security measures. In the cybersecurity realm, an information security incident or a cybersecurity incident is a security incident that involves the unauthorized access, use, disclosure, breach, modification or destruction of data.
Typically, an event is categorized as a ‘security incident’ when it is widespread enough that it disrupts your normal business operations. Unlike a ‘security event,’ which is a singular incident that usually doesn’t have a palpable impact on your organization, a security incident is a more serious problem-and it doesn’t necessarily need to end with a successful attack in order for it to necessitate a response from your organization.
A cybersecurity security incident could be anything from a potential threat to a successful attack-just because your information wasn’t compromised doesn’t mean you should ignore the incident altogether. Whenever a security incident occurs-whether it’s successful or not-it should result in a serious examination and/or overhaul of the current tools, policies, and procedures you have in place to prevent similar events from happening again in the future.
Unfortunately, for most organizations, falling victim to some sort of security incident is simply inevitable. As digital technology continues to transform the business environment into a cybersecurity threat landscape, cybersecurity incidents, and the resulting risks and consequences, loom too large to ignore.
In many cases, the result of a cybersecurity incident involving unauthorized access and disclosure of sensitive information including personally identifiable information is a data breach- an incident that can have huge financial and reputational impacts on the victim. In 2021, the average cost of a data breach was $4.24 million, a figure which is likely to grow exponentially in the coming years. For businesses in specific industries, there’s the additional consideration for regulatory compliance-additional fines, fees, and even legal action in the most extreme cases.
According to the Identity Theft Resource Center (ITCR), 2021 was a record-breaking year for data breaches. Some of the most notable cybersecurity incidents resulting in a data breach last year include:
- Facebook – 533 million records breached. In April, a user in a low-level hacking forum published the personal data of hundreds of millions of Facebook users for free. The exposed data included personal information including phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses. The company attributes the leaked data to a security breach, but that the vulnerability was patched in 2019. Although the data was a couple of years old, it will most likely be used by cybercriminals to impersonate affected users or somehow otherwise scam them into handing over their login credentials.
- LinkedIn – 700 million records breached. Although the company disputes claims that there is evidence that indicates a recent data breach, a collection of personal information of nearly 93% of the companies’ users, was sold online for $5,000. The data did not include login credentials, but it did include a wealth of other personal information that could easily be used to assume someone’s identity. LinkedIn maintains that the data for sale was not the result of a hack but rather someone simply pulling data that was publicly available on a large scale and compiling it.
- Cognyte – 5 billion records breached. When Comparitech’s cybersecurity expert Bob Diachenko discovered a massive database collected from a range of previous data incidents exposed on the web without a password or any other authentication required to access it, the company immediately informed Cognyte, the cybersecurity analytics firm that was storing the data as part of its cyber intelligence services. Cognate secured the data three days later-a rapid response that successfully blocked a potential exposure.
Now that we’ve described some of the ways in which security incidents can potentially impact your organization and provided some examples of recent cybersecurity incidents for your consideration, it’s time to introduce some of the most common types of security incidents that businesses see on a regular basis.
What Are the Most Common Types of Security Incidents?
Nowadays, the most common types of security incidents are almost entirely relegated to the cyber domain. Using technology to their advantage, cybercriminals will do everything and anything possible for financial gain. Here are some of the most common types of security incidents executed by malicious actors against businesses and organizations:
Unauthorized Access Attacks
This type of security incident involves any unauthorized attempts by a threat actor to access systems or data using an authorized user’s account. How a cybercriminal gains access to user accounts oftentimes remains a mystery, even long after an attack-but there are a few things your organization can do to prevent this type of security incident from occurring.
If you don’t already do so, require multi-factor authentication-or at least two-factor authentication-for all of your users. This will require users to provide an additional piece of identifying information after they enter a correct username and password. In many cases, multi-factor authentication alone is enough to deter a potential security incident from occurring-cybercriminals often go after the lowest hanging fruit, so any additional barriers you put in place between them and your data makes you less likely to be targeted in the first place.
You should also consider encrypting your sensitive corporate data both at rest and in transit using suitable software or hardware technology. This way, attackers won’t be able to access your confidential data even if an attack is successful.
Privilege Escalation Attacks
This type of security incident occurs when an attacker attempts to gain unauthorized access to an organization’s network and then also tries to obtain more privileges using a privilege escalation exploit. A successful privilege escalation exploit grants threat actors privileges that normal users don’t have, and usually, this type of attack takes place only after a hacker has already compromised an organization’s network by gaining unauthorized access to a lower-level user account.
With privileged access to your most sensitive information, there’s no telling what a cybercriminal might do. However, there are some ways in which you can prevent this type of security incident from occurring.
First, you should start by looking for and remediating any security vulnerabilities – weak spots – in your IT environment. Ideally, this is something your organization should do on a regular basis by conducting vulnerability assessments and vulnerability scans as part of your overall risk management program. During the risk management process, your organization should take cyber risks into serious consideration by evaluating the risks to your sensitive data and taking the necessary steps to secure that data with a risk analysis and a well-documented risk management plan.
In this case and in others, the principle of least privilege is one that your organization should implement to limit the access rights for users to the bare minimum permissions they need to do their jobs. Also, consider security monitoring tools to help you collect and analyze potential security threats so you can respond appropriately.
Insider Threat Attacks
No organization wants to admit that their employees are capable of acting maliciously, but unfortunately, it’s a harsh reality that requires some serious attention. Insider threats are malicious (intentional) or accidental (unintentional) threats to your organization’s security data. Typically, this type of security incident is attributed to employees, former employees, or third parties including contractors, temporary workers or customers.
While it can be difficult to prevent insider threats from affecting your business, there are some things you can do to deter the possibility of a successful security incident. First and foremost, you should implement spyware scanning programs, antivirus programs, firewalls, and a rigorous data backup and archiving routine.
You should also train your employees and any contractors on security awareness before allowing them access to your corporate network. A robust security awareness training program should also include routine training sessions to avoid any unintentional security incidents resulting from user error.
To deter insider threats, you can also implement employee monitoring software to reduce your risk of a data breach or the theft of intellectual property by identifying careless, disgruntled, or malicious insiders. Additionally, a comprehensive whistleblower program that protects any employees who come forward about malicious activity can help your organization to gain intel about potential security incidents.
A data loss prevention policy will also let insiders know what’s expected of them when it comes to handling company data-and that they’re being monitored for unwanted behaviors. Sometimes, this alone is enough to prevent internal actors from acting carelessly-or maliciously.
In this type of social engineering attack, the attacker assumes the identity of a reputable entity or person via email to distribute malicious links or attachments that can perform a variety of functions, including extracting login credentials or account information from victims. More targeted types of phishing attacks are known as spear phishing attacks, wherein the attacker invests more time researching the victim to pull off an even more sophisticated attack.
On a technical level, a gateway email filter will help you trap a large number of mass-targeted phishing emails and reduce the overall number of emails that reach your users’ inboxes. However, you probably won’t be able to prevent every single phishing attempt from entering every single inbox, but there are some things you can do to reduce the likelihood that one of your employees will fall victim to a phishing attack.
Start by educating your users so that they’re better able to identify phishing attempts on their own. In some organizations, incentive programs encourage employees to identify and report phishing emails in exchange for a reward. These types of programs have shown success in preventing phishing attacks from leading to more serious types of security incidents, like malware attacks.
Malware is a broad term for a variety of different types of malicious software, including Trojans, worms, ransomware, adware, spyware, and other types of viruses. Malware can either be inadvertently installed when a user clicks on an advertisement, visits an infected website, or installs freeware or other infected software; or, it can be installed intentionally by insider threat actors or malicious actors with unauthorized access.
The signs of a malware attack include unusual system activity, sudden loss of disk space, unusually slow speeds, repeated crashes or freezes, an increase in unwanted internet activity, and pop-up advertisements.
To protect your organization against this type of security incident, you should install an antivirus tool to detect and remove any malware. Whether you decide on real-time protection or routine system scans to detect and remove malware, whichever tool you choose should protect your organization against any existing malware in addition to any future malware attacks.
Distributed Denial-of-Service (DDoS) Attacks
This type of security incident takes place when a threat actor floods the target with traffic or sends it some information that triggers an attack to shut down an individual machine or an entire network so that it’s unable to respond to service requests. Typically, these types of attacks can be dealt with by simply rebooting the system.
To block any future unwanted traffic, you can also reconfigure your firewalls, routers, and servers. Keep your firewalls updated with the latest security patches as part of your overall patch management program to keep your systems, software, and applications at their most secure. If you so choose, you can also integrate front-end hardware into your network to help analyze and screen data packets to classify them as they enter the system.
Man-in-the-Middle (MitM) Attacks
This type of security incident occurs when an attacker secretly intercepts and alters messages between two parties who believe they are communicating directly with each other. In a man-in-the-middle attack, the attacker manipulates both victims in order to gain access to their data. This can take place via session hijacking, email hijacking, and wi-fi eavesdropping.
Although this type of attack is difficult to detect, there are some ways you can prevent it from happening. You should first consider implementing an encryption protocol that provides authentication, privacy and data integrity between communicating computer applications such as Transport Layer Security (TLS). Or, perhaps a network protocol that gives users, particularly systems administrators, a secure way to access a computer over an unsecured network such as a Secure Shell Protocol (SSH).
You should also educate your employees on the dangers of using open public wi-fi networks because it’s much easier for hackers to exploit these connections. For the most network protection, use a virtual private network (VPN) to help ensure more secure connections.
A password attack is a type of security incident in which the attack is aimed specifically at obtaining a user’s password or an account’s password. To do so, hackers use a variety of methods, such as password-cracking programs, dictionary attacks, password sniffers, or simply by guessing passwords via brute force trial and error.
A password cracker is an application or program that’s used to identify an unknown or forgotten password to a computer or network’s resources. When in the hands of a hacker, a password cracker can be used to gain unauthorized access to company resources.
A dictionary attack is a method of breaking into a password-protected computer system or server by systematically entering every word in the dictionary as a password until the attacker guesses correctly. While this method might not be the most efficient, if a hacker does guess a correct password, they may try to login to multiple accounts using the same hacked password.
A brute force attack is one in which a hacker or bot attempts to login using a series of generated passwords over and over again until they are successful. This type of trial and error attack can also cause websites to crash and is yet another reason why multi-factor authentication is so important.
These types of security incidents can be difficult to prevent completely, but there are some things you can do to defend yourself against them in the future. As mentioned above, multi-factor authentication is the best way to prevent unauthorized logins. Even if a cybercriminal guesses the correct password, it won’t be enough information to get them into your system.
You should also insist that your employees use strong passwords that include at least seven characters as well as a mix of upper and lower case letters, numbers, and symbols. Users should also change their passwords regularly and avoid using duplicate passwords for multiple accounts. Any passwords your organization stores should be done so in secured repositories, and should also be encrypted.
Web Application Attacks
This type of security incident occurs when a web application is used as the vector of an attack. Web application attacks include exploits of code-level vulnerabilities in the application as well as attacks that thwart authentication mechanisms.
For example, a cross-site scripting attack is a type of web application attack called an injection security attack, and occurs when an attacker injects data (such as a malicious script) into content from otherwise trusted websites.
To avoid this type of attack, your organization should review code early in the development phase to detect any vulnerabilities automatically by using static and dynamic code scanners. You should also implement bot detection functionality to prevent bots from accessing your application data. Finally, a web application firewall will help you monitor your network and block potential attacks.
Another type of web application attack is called an advanced persistent threat (APT), which is a prolonged and targeted cyberattack that’s typically executed by cybercriminals or nation states to gain access to a network and remain undetected for a period of time. Ultimately, the goal with this type of security incident is to monitor the target’s network activity and to steal data rather than cause damage to the network or organization.
To avoid this type of attack, your organization should monitor both incoming and outgoing traffic to prevent hackers from installing backdoors and extracting sensitive data. Again, web application firewalls at the edge of your network perimeter will help to filter any traffic coming into your web application servers. A firewall can also help filter out application layer attacks such as SQL injection attacks which are often used during the APT infiltration phase.
How to Prevent & Mitigate Security Incidents
For each of the common security incidents described above, we included a number of things you can do to prevent or at least reduce the chances of an incident occurring. To make things easier, we’ve compiled those suggestions into a singular and actionable list so that you can get started preventing and mitigating security incidents for your organization.
Security Incident Detection
The first step to preventing security incidents from occurring is to put the right tools and processes in place to detect security incidents before they occur. Security incident detection is not only important for detecting and responding to incidents before they do damage, but also so that you can track and trace the origins of the security incident and put the appropriate security controls in place to prevent it from happening again.
Monitor User Account Behavior
Start by implementing behavior analytics tools to monitor user account behavior. Before you start looking for any anomalous behavior, you need to set the baseline for what “normal” behavior looks like. Once you’ve established that pattern, you can start looking for anomalies in behavior patterns-and especially so for privileged users. Any unusual behavior could be an indication that a security incident is taking place.
You should also monitor for any unauthorized users attempting to access servers and data or requesting access to data that isn’t critical to their job function. This type of behavior is indicative of two scenarios: an inside threat actor attempting to gain unauthorized access to sensitive information for malicious purposes; or, a malicious actor has successfully gained access to a user account and is using that account to attempt to gain access to more privileged data.
As a general rule, you should always use the principle of least privilege when it comes to your data. This means only granting access to data to those employees who need access in order to perform their duties. However, in order to implement this principle, you’ll need to start by categorizing your data by sensitivity so that you know which data your employees should have the least access to.
Monitor Network Traffic
Your organization’s network is the gateway into your systems and data-keeping it secure is the best way to prevent attackers from gaining unauthorized access to your organization’s sensitive information. However, when it comes to network traffic, it’s important to monitor not just the traffic coming into your network, but also the traffic leaving your network perimeter.
This might include insiders uploading large files to personal cloud applications, or sending large numbers of email messages containing attachments to addresses outside the company, or downloading large files to external storage devices such as USBs. You should also monitor for any traffic sent to or from unknown locations-especially if your company only operates in one country.
In general, your administrators should investigate any unknown or suspicious network traffic to ensure its legitimacy. Even if there isn’t anything malicious actually occurring, in this case, it’s better to be safe than sorry.
Monitor Suspicious Activity
Monitoring user account behavior and network traffic are just two of the ways in which you can deter potential security incidents from occurring. Some of the other suspicious activity you should monitor include:
- Excessive consumption or an increase in performance of server memory or harddrives could mean an attacker is accessing them.
- Changes in configuration that haven’t been approved, such as reconfiguration of services, installation of startup programs or firewall changes are often a sign of possible malicious activity.
- Hidden files that might be considered suspicious due to file names, sizes, or locations and could indicate a data leak.
- Unexpected changes such as user account lockouts, password changes or sudden changes in group memberships.
- Abnormal browsing behavior like unexpected redirects, changes in browser configuration, or repeated pop-ups.
- Suspicious registry entries, which are usually a result of a malware infection.
Security Incident Management
As you continuously monitor for threats, your organization will inevitably need to evaluate the risk an attack could pose as well as the vulnerabilities an attacker might exploit to do so. If you haven’t already done so, now is the time to implement a risk management program that’s designed to help your organization identify, analyze, prioritize and mitigate cyber risks.
Cyber Risk Management
The cyber risk management process is ongoing, meaning that once you begin, you’ll need to keep the program alive and well if you want it to have any beneficial impact on your organization.
To begin, start by creating a list of your company assets and keeping it current-it’s impossible to know how to protect your assets if you aren’t exactly sure what those assets are. Then, you’ll need to conduct a risk assessment to determine the level of risk each of those assets presents to your organization. Next, you’ll need to prioritize those risks and create a mitigation plan for each one you identify. After you mitigate your existing cyber risks, it’s time to start the process all over again.
In general, your organization should aim to regularly conduct both vulnerability assessments to identify vulnerabilities in your systems, software, and applications throughout the risk management process. You should also regularly conduct risk assessments to determine whether your internal security controls are working effectively to prevent threats from doing damage.
See our five-step risk management article for more details.
Incident Response, Disaster Recovery, and Business Continuity Plans
Ultimately, security incidents are bound to occur-you simply cannot mitigate every single cyber risk. However, you can decide how your organization will respond to those risks if they can’t be prevented. As part of your risk management program, your organization should create a thorough incident response plan to ensure the correct course of action is taken in the event of a security incident.
This includes making sure that the right people know what to do when a security incident does occur, and that you have the right plans in place to cover your assets in a number of disruptive events, including cybersecurity incidents, natural disasters, and more. A disaster recovery plan will help your organization ensure business continuity in the face of one of these disruptions.
Tools to Help
Protecting your organization from security incidents altogether is an impossible task, and especially if you’re attempting to do so all on your own. These days, it takes a village to protect a business from increasingly frequent and sophisticated cyberattacks.
However, with a wealth of security software solutions, tools, and applications to choose from, picking the right ones to help can start to get overwhelming too. You want a tool that can do it all-threat monitoring, risk management, governance and compliance.
Fortunately, there are solutions designed to help.
Prevent Security Incidents with Reciprocity ZenRisk
Protecting your organization from security incidents is no easy task, and especially as cybersecurity opens organizations up to new and even undiscovered threats. While large enterprises may have the funding to take on such a task internally, many organizations simply lack the funding necessary to get the job done. That’s where cybersecurity solutions can help.
Reciprocity® ZenRisk is an integrated cybersecurity risk management solution designed to provide you with actionable insights to gain the visibility you need to stay ahead of threats and clearly communicate the impact of risk on high-priority business initiatives. Turn the unknown into quantifiable and actionable risk insights with built-in expertise that identifies and maps risks, threats and controls for you, so you can spend less time setting up the application and more time using it.
A single, real-time view of risk and business context allows you to clearly communicate to the board and key stakeholders in a way that’s framed around their priorities, keeping your risk posture in sync with the direction your business is moving.
Reciprocity ZenRisk will even notify you automatically of any changes or required actions, so you can be on top of your risk posture like never before. Eliminate time-consuming, manual work and streamline collaboration by automating workflows and integrating with your most critical systems.
Plus, Reciprocity ZenRisk is seamlessly integrated with Reciprocity ZenComply so you can leverage your compliance activities to improve your risk posture with the use of AI. Built on the Reciprocity ROAR Platform, the Reciprocity product suite gives you the ability to see, understand and take action on your IT and cyber risks.
Now, through a more proactive approach, you can give time back to your team with Reciprocity ZenRisk. Talk to an expert today to learn more about how the Reciprocity Product Suite can help your organization mitigate cybersecurity risk and stay ahead of threats.