Why data breaches have become ‘normalized’ and 6 things CISOs can do to prevent them

Every week, a new data breach threatens enterprise organizations worldwide, forcing a re-evaluation of cybersecurity strategies to protect consumers. In recent months, we’ve seen major breaches at companies like 23&Me, Okta, United Healthcare and American Express — putting incredibly sensitive consumer data at risk. Between 2022 and 2023, there was a 20% increase in data breaches. And with Microsoft, Roku and many other companies already battling data breaches in the first months of 2024, this unfortunate trend shows no sign of slowing down. 

The Okta breach, which affected all of their customers due to an employee’s use of a personal Google profile on a company laptop, underscores the criticality of the human element in cybersecurity. According to the Verizon DBIR 2024, 74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering.  

The continued role of human error in cyber breaches is a clear sign that cybersecurity training as a control approach has categorically failed the market. The Okta incident is a grave reminder of the vulnerabilities that can arise from seemingly innocuous behaviors, like signing into a personal account on a work device, which may contravene established security policies. With this in mind, it’s crucial that CISOs and their teams ensure employees are aware of these vulnerabilities, in addition to building a system that’s resilient to breaches.

What should be on CISO priority lists (if they’re not already)

Here are six items that CISOs should focus on in 2024 to protect their organizations from the risk of a data breach:

1. Employ a remote browser isolation (RBI) system to alleviate human error: The Okta breach is a classic example of how human error can lead to significant security incidents. Even the most robust security measures can be undermined by simple mistakes. Employees must be continuously educated on the risks of mixing personal and professional digital activities. An RBI system can help to technically alleviate these issues.
2. Implement a zero trust strategy: A zero trust approach assumes that breaches can happen and verifies each request as if it originates from an open network. Regardless of whether a request comes from within or outside the enterprise’s network, it must be authenticated, authorized and encrypted before granting access. This strategy mitigates damage by requiring additional verification before allowing access to sensitive customer support systems.
3. Enforce and monitor IT policies: Companies must enforce policies that prevent the use of personal accounts on work devices and monitor compliance. Automated tools should be used to flag and block such activities, and anomalies and policy violations should be enforced automatically via policy controls. Policies are pointless if CISOs neglect their enforcement.
4. Prepare incident responses: A swift and transparent response to breaches is crucial. Okta reported the incident and took immediate action, which is a key step in managing the aftermath of a breach. Especially with the new SEC disclosure rules, companies must be prepared to respond to breaches and report them immediately to the necessary parties.
5. Strengthen privileged access management (PAM): Strengthening PAM can ensure that even if employee credentials are compromised, the access is limited and does not allow for widespread exploitation. While the goal is to avoid breaches entirely, mitigating those vulnerabilities is critical to a successful response.
6. Reinforce endpoint security: Ensuring that all endpoints are secure and cannot be accessed through compromised third-party accounts is essential. Solutions that monitor for anomalous behavior could have potentially identified unusual activity resulting from the compromised credentials. Additionally, application controls and ring-fencing are valuable in addressing these issues.

When it comes to regulations, compliance does not equal security

It’s also worth noting that despite the introduction of significant regulations like the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS), as well as the potential for hefty fines for non-compliance, evidence suggests that these mechanisms have not had a dramatic impact on the security market. 

For instance, a study investigating the impact of GDPR infringement fines on the market value of companies found that, while there was a statistically significant cumulative abnormal return of around -1% on average up to three days after a fine announcement, the negative economic impact on market value far outweighed the monetary value of the fine itself. This suggests that the fines, albeit substantial, were not sufficiently punitive to motivate significant changes in corporate behavior among large market capitalization companies Additionally, security breach announcements, which often result in fines and penalties, only led to an average market value decrease of about 1% for the affected firms, indicating a relatively minor financial impact considering the potentially vast scale of such breaches. 

While PCI DSS compliance aims to secure credit card data and involves penalties ranging from fines to card acceptance rights revocation, the effectiveness of these sanctions as a deterrent is questionable. The threat of negative publicity and the business risk associated with non-compliance are known, yet breaches and compliance failures continue to occur. This tells us that the potential costs of non-compliance might not be perceived as a significant business threat or that the enforcement of these penalties is not consistent enough to enforce compliance.

To put it simply, compliance does not equal security. And to date, no significant fines or punitive measures have shown impact on the market overall. These cases underscore a broader issue within the security market: While regulations and fines aim to motivate companies towards better security practices and compliance, their actual impact, especially on major companies with substantial resources, seems limited. The lack of significant punishment for overt failures, as evidenced by minimal impacts on market valuation and the continued occurrence of data breaches, points to a need for re-evaluating the effectiveness of current compliance and penalty mechanisms.  

Security leaders’ opportunity to educate their workforce and up their game

While current regulations are not having their intended effect on the market, there are steps organizations can take to protect themselves, as mentioned above. In connecting with IT and cybersecurity leaders, discussions should focus on real-world implementation of zero trust principles, the balance between ease of use and security and promoting a security-first culture among all employees to reduce the risk of human error. Additionally, exploring technologies like behavior analytics, AI-driven threat detection, RBI and continuous authentication methods can provide further insights into building resilient systems. 

As cybersecurity professionals improve their practices, so do the hackers behind data breaches. These attackers are finding new methods to break into systems at a rapid pace. However, doing the simple things to prevent human error ensures that you won’t make hacking into your system a walk in the park. The recent ConnectWise vulnerability was described as “embarrassingly easy” to exploit, and these types of mistakes are simply unacceptable in 2024. Too many organizations are rolling the dice on security, especially given the threats we face today.

Every day that goes by without a cyber-educated workforce is another day that digital systems are at extreme risk. If CISOs can get on the same page about doing the little things, and ensure  all employees are fully aware of the threats and the resources they have to fight them, we will see data breaches start to decrease in both number and size. A proactive, informed approach to cybersecurity will be the cornerstone in defending against 2024’s evolving cyber-attacks, ensuring the security and integrity of global digital ecosystems and the consumers who use them.

Chase Cunningham (“Dr Zero Trust”) is VP of security market research at G2.