Article

What is a security breach?

Security
Time to read: 11 minutes

A security breach occurs when an incident results in unauthorized access to digital data, applications, services, networks, or devices when a private, protected, or confidential logical IT perimeter is entered without permission. The ultimate result of a security breach is information being accessed without authorization.

Security breach examples

Most organizations would prefer not to reveal security breaches. However, if the security breach results in a data breach, compliance requirements make it mandatory for them to disclose the incident publicly.

Unfortunately, there have been many security breach incidents that have escalated to data breaches. Rather than enumerate the names of the impacted organizations, the following is a summary of what happened with a few security breach incidents.

In one, a website application vulnerability resulted in the exfiltration of millions of customers’ sensitive information, including their names, social security numbers, and driver’s license numbers. This advanced persistent threat (ATP) attack was perpetrated over several months.

A phishing attack allowed cybercriminals to gain access to an organization’s network. This attack started with a spear-phishing email that one employee clicked on, giving the cybercriminals access. Moving laterally from the initial point of network entry, the cybercriminals were able to access billions of users’ accounts.

Another organization suffered a data breach that was caused by a third party’s security breach. Gaining access through a partner, the cybercriminals were able to leapfrog across networks to access millions of customer passwords.

A security breach at an organization that handled highly sensitive information led to the exposure of more than 10 million passwords. After gaining entry, the cybercriminals were able to crack the passwords in less than a week due to the use of weak encryption.

Flaws in internal software led to a security breach that resulted in tens of thousands of customer records being lost. Cybercriminals took advantage of multiple vulnerabilities in the software.

An organization that was known to be a cybersecurity expert suffered an embarrassing security breach. A cybercriminal gained unauthorized access by compromising an employee’s virtual private network (VPN) credentials.

Types of security breaches

Accidental insiders

Users with authorized access to internal systems, services, and networks, or insiders, are said by security experts to be responsible for at least half of all security breaches. Cybercriminals prey on human weaknesses to bypass difficult technical barriers. And, sometimes, people make mistakes and leave systems and networks vulnerable to attackers.

Application vulnerabilities and backdoors

Unpatched vulnerabilities in applications are exploited for security breaches. Despite developers’ best efforts, software has flaws. When these are detected, patches are released to remediate the vulnerability. However, patches only work when they are installed. IT departments are notorious for delaying updates or not applying patches. When vulnerabilities are detected, cybercriminals are aware of them too, and take advantage.

Distributed denial of service (DDoS)

A distributed denial of service (DDoS) attack is an attempt to disrupt the normal traffic of a targeted website by overwhelming it with a flood of traffic. DDoS attacks often target government or financial services sites and render the websites slow or unavailable.

Improper permission management

Overpermissioning is an oft-used path to a security breach. Giving too many users access privileges beyond what they need creates opportunities for cybercriminals. Also, failing to revoke access privileges when they are no longer required is a vector that can be exploited. Proper permission management mitigates issues with access privileges being exploited.

Malware

Cybercriminals often use malicious software, called malware, both for security breaches and data breaches. Examples of malware include spyware, ransomware, viruses, worms, and Trojan horses. There are many malware attack vectors, but email is one of the most common.

Password spraying

A password spraying attack uses one or more common passwords to attempt to gain access to multiple accounts in a system. Since it only takes one successful attempt, this tactic is effectively used to execute a security breach. Password spraying is considered more efficient than brute-force password attacks that test a series of passwords against a single account.

Phishing

Phishing is a sophisticated social engineering attack widely used by cybercriminals to create a security breach. Phishing attacks use creative emails to trick users into clicking malicious links that allow them to execute the breach.

Physical vulnerabilities

Unauthorized access to physical facilities or storage is also considered a security breach. Cybercriminals can gain access in one or more ways, including tailgating, following an authorized user into a building, or posing as a person who has a legitimate reason to enter, such as a delivery or repair person.

Social engineering

Social engineering refers to all techniques aimed at talking a person into inadvertently revealing specific information or performing a particular action for illegitimate reasons. Cybercriminals use social engineering as a tactic when planning a security breach.

Perpetrators of social engineering use ploys such as pretending to be someone from the IT department who needs credentials to fix an issue. In other cases, the cybercriminal impersonates an organization to trick or scare someone into sharing information, such as pretending to be someone from the payroll service or a law enforcement agency. Social engineering tactics are carried out over the phone and digitally (e.g., email, text message).

Weak passwords

Weak passwords are used to implement a security breach because unauthorized users can easily guess them.

Despite warnings, users continue to use weak passwords, such as password, pa$$word, 1234, and temp.

Weak passwords allow cybercriminals to execute a security breach effectively as well as potentially compromise data and systems.

How to respond to a security breach

A security breach requires nuanced and multi-faceted responses that are dictated by the organization, the type of breach, and the assumed risk. The following are eight general steps to take in response to mitigate risk and prevent damage.

Step 1: Preparation

Preparation is the critical first step in effectively responding to a security breach. Being prepared requires having tools and systems in place to detect a breach as well as policies and plans to address it once identified. Security breach preparation ensures that precious time is not lost when a breach is detected.

Step 2: Identification

Identifying and gathering information about the security incident helps expedite and guide effective responses when a breach is detected.

Step 3: Containment

Once a security breach has been identified, steps must be taken as quickly as possible to contain the threat. Planning, tools, and processes are key at this phase to isolate impacted systems to prevent damage. During the containment phase, it is important to preserve evidence to help with subsequent phases where root causes are identified.

Step 4: Assessment

After the initial security breach has been identified, a comprehensive assessment should be executed to determine if there have been other breaches as part of a broader attack.

Step 5: Remediation

Remediation begins once the security breach has been neutralized. Vulnerabilities that allowed the security breach must be corrected. This includes an assessment to determine if other related vulnerabilities must be addressed. Again, detailed documentation should be recorded to support subsequent phases.

Step 6: Notification

Notification, while unpleasant, is often required to adhere to the terms of regulations. Depending on the scale of the security breach and the type of organization, breach notifications must be provided to employees, customers, partners, and, sometimes, the press.

Step 7: Security audit

During the post-mortem following a security breach, a thorough evaluation of the incident must be conducted to determine its root cause.

Step 8: Updates

In the wake of a security breach, lessons learned should be evaluated and applied to existing processes and procedures. During this phase, a determination should be made if additional security solutions should be acquired and deployed.

Protecting the enterprise from a security breach

Preparation and a proactive defense are the best protections against a security breach. Following these best practices can reduce risk and mitigate potential damage.

  1. Apply security systems and processes to users’ mobile devices.
  2. Close any accounts for which best practices are not actively used.
  3. Conduct cybersecurity awareness training on a regular basis.
  4. Implement multi-factor authentication.
  5. Install updates regularly and patches as quickly as possible.
  6. Prioritize security controls that prevent network penetration.
  7. Require the use of strong passwords and for users to change them periodically, as well as use different passwords for all accounts.
  8. Use security vulnerability management tools, such as firewalls, endpoint detection and response, and antivirus software.

Security breach FAQ

What is the difference between a security breach and a data breach?

Although they are commonly conflated, there is a difference between a significant security breach and a data breach. A security breach can be equated to a break-in incident. An unauthorized person gains access to private data, systems, services, or networks. A data breach is one of many incidents that can occur after a security breach.

A data breach occurs when a security breach has happened and a cybercriminal access data without authorization. A data breach can be followed by several negative outcomes, including data theft, exposure, or damage. A data breach can also result in the data being encrypted and held for ransom.

How does a security breach occur?

There are many ways that a security breach can occur; the most common include the following.

  1. Insider error
    A user might accidentally access sensitive information without authorization or an employee might unintentionally expose a file containing personally identifiable information (PII). Even though the access was unintentional, and data was not publicly exposed, it is considered a security breach.
  2. Malicious insider
    A malicious insider is an authorized user in an organization who uses their privileges to execute unauthorized activities purposely. The result of a malicious insider security breach could be anything from financial gain to the destruction of or damage to data or systems.
  3. Lost or stolen devices
    Most mobile devices, from laptops to smartphones, carry a trove of sensitive information. If they are lost or stolen, and the data they carry is unencrypted, a security breach could occur.
  4. Perpetrated by cybercriminals
    From individuals to crime syndicates, cybercriminals perpetrate security breaches for nefarious purposes. The attack vectors and tactics vary, but the objectives are the same— to gain access and execute their criminal plans (e.g., theft, extortion, damage, destruction).

What costs are associated with a security breach?

The cost of a security breach depends on whether it results in a data breach, ransomware, or other criminal incident. Depending on what happens after a security breach, the costs can be in the millions and can include:

  1. Lost customers and acquiring new business
  2. Decrease in share price due to damaged reputation
  3. Financial compensation to individuals whose sensitive information was compromised
  4. Implementation of threat response plans, including data recovery, changes in business and security processes, and forensic analysis and investigation
  5. Legal fees
  6. Penalties for violating regulations and terms of contracts

In the United States, the cost of a data breach is reported to be more than double the average of the rest of the world.

As noted above, the cost of a security breach is not only financial, and impacts can be long-lasting, in some cases so persistent that targeted organizations close.

Simply understanding security breaches is not sufficient

Despite vast knowledge of security breaches, cybercriminals continue to successfully execute them and go on to complete data breaches. While most victims wouldn’t dream of leaving the doors or windows to their businesses unlocked, they regularly leave gaping holes that facilitate security breaches.

Gaining a solid understanding of security breaches is important, but it must be followed with actions to address vulnerabilities and respond to zero-day threats and malicious insiders. Although attack surfaces are expanding exponentially, it is possible to effectively defend organizations from security breaches.

Knowing the potential causes of security breaches helps direct the necessary systems and processes to protect sensitive information. The stakes are high and getting higher as the scale of digitalization puts much of the enterprise’s valuable assets online and under threat in the event of a security breach.

Take control of your cloud platform.

Learn more about SailPoint Identity Security.

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief