In the cybersecurity field, there are few issues as pressing as data breaches. Many professionals spend the bulk of their time and effort at work figuring out how to understand, recognize, identify, and prevent unwanted data exfiltration. Data breaches stem from a wide variety of sources, from malicious bad actors to well-meaning employees, and can consist of any number of actions and consequences. The risks and costs of data breaches are high, and it is vital for organizations to work to protect their data against these incidents. This breakdown of the anatomy of a data breach can help a company to achieve that goal.
Actors and Actions
Understanding who is behind a security incident and what they are doing is an important step in preventing data breaches. According to Verizon’s 2023 Data Breach Investigation Report, the top actors by a wide margin are external factors, responsible for 83% of breaches. The external category includes not only hackers and other nefarious actors, but also acts of God, “Mother Nature,” and random chance. Internal actors account for 19% of data breaches; this category includes both intentional insider threats and accidental or negligent actors.
Action categories in data breaches include hacking, malware, human error, social engineering, misuse of resources, and even physical and environmental threats. The top actions taken by threat actors are the use of stolen credentials in more than 40% of breaches, ransomware in around 25% of breaches, and phishing in about 15% of breaches. The most popular attack vector by far is web applications, used in around 60% of breaches, followed by email (around 30%) and carelessness (just under 20%).
Assets and Attributes
In the context of a data breach, assets refer to “the entities that can be affected in an incident or breach and end up being manipulated by the threat actors.” Asset categories include servers, people, user devices, networks, and media. By far the most impacted assets are servers, playing a role in more than 80% of breaches, followed by people and user devices, each at around 20%. When broken down further, top asset varieties are web applications (around 60%), mail (around 35%), and desktop or laptop devices (around 20%).
Attributes directly map onto the ubiquitous information security CIA triad: confidentiality, integrity, and availability. The top confidentiality data varieties in breaches are personal information and credentials, each present in around 50% of data breaches. Personally identifiable information is not only the most popular data variety, but the most likely to get an organization in trouble with regulatory entities if customer or employee information is breached. Ensuring that this data is kept secure should be a top priority for businesses, especially those who handle particularly sensitive information such as legal or medical data.
Detection and Identification
An organization must have measures, policies, and data loss prevention solutions in place to detect risk when bad actors attempt to carry out their attacks. Prevention is key, which is why it is important to be able “to discover and detect not just individual instances of sensitive data exposure within applications, but the user activity leading up to these incidents.” Solutions that flag suspicious user behavior can potentially catch malicious attacks, stolen credentials, and even accidental data breaches cause by negligence or error.
Identification of a breach, according to IBM’s 2023 Cost of a Data Breach Report, refers to the time that it takes to discover a security incident. Of the incidents analyzed in the report, 40% were discovered by a benign third party, 33% by the organization’s own security teams and tools, and 27% by disclosure from the attacker. The overall average (mean) amount of time that it took to identify and contain a breach in 2023 was 277 days, over nine months, and the majority of that time was identification.
Containment and Remediation
The step after identification is containment, which is taking the steps necessary “to resolve the situation and restore service after the breach has been detected.” This process tends to take far less time than discovery and identification—average breach containment time is around 35% as long as average identification time. Containment includes comprehending the scope of the breach, notifying law enforcement, and investigating who the attackers are, what they want, and what they’ve done.
Remediation is the final step in a data breach, wherein the organization should ameliorate whatever security gaps or vulnerabilities may have led to the breach, reevaluate the existing security infrastructure and policies, and attempt to implement measures to ensure a breach does not happen again. It can be costly and time-consuming to deploy new security solutions and practices, especially in the wake of an already expensive attack, but more often than not, it is worth the investment to prevent another attack.
Data breaches can be catastrophic for organizations of all sizes and in all fields, but it is difficult to prevent or remediate an incident without understanding where and how breaches originate and are carried out. The lifespan of a data breach can last months, or even more than a year without proper tools and measures in place to detect and identify suspicious behaviors that can be evidence of an attack incoming or already in progress. The impact can be devastating, especially if a business does not have cyber insurance or an incident response plan in place. Knowing what data breach incidents look like and how they work is the first step to preventing one.
PJ Bradley is a writer on a wide variety of topics, passionate about learning and helping people above all else. Holding a bachelor’s degree from Oakland University, PJ enjoys using a lifelong desire to understand how things work to write about subjects that inspire interest. Most of PJ’s free time is spent reading and writing. PJ is also a regular writer at Bora .