Visit any news site and you’re bound to see a story about another data breach. Retail, manufacturing, finance and healthcare, no industry is spared. Verizon, Target, Equifax, SolarWinds, some of the largest and best-known companies have been victimized.
According to the Identity Theft Resource Center (ITRC), since 2005, only the full years of 2017, 2021 and 2022 have exceeded the compromises in the first half of 2023. In other words, we’re now experiencing more data breaches in six months than we had previously in most years.
As a consequence, data compromises are on track to set a new record in 2023. And the cost of a data breach, that’s getting worse too. According to IBM, the average per record (per capita) cost of a data breach increased by 10.3 percent from 2020 to 2021. Meanwhile, the average total cost for a healthcare breach increased from $7.13 million in 2020 to $9.23 million in 2021, a 29.5 percent increase.
All of this raises an obvious question. Since every industry and every company already know they are a target for data thieves, why isn’t data security getting any better?
Causes of Data Breaches
Perhaps we can get an idea by looking at the most common causes of a data breach. On this list we see 1) weak/stolen credentials, 2) application vulnerabilities, 3) malware, 4) malicious insiders and 5) insider error. And on this list we see 1) misconfigured software, 2) social engineering, 3) recycled/default passwords, 4) theft of physical devices and 5) software vulnerabilities.
What can we take from these two lists? Two things. First, none of these items should come as a surprise to anyone. It’s not like data thieves are exploiting some unknown attack vector. Everyone knows about them already.
Second, application/software vulnerabilities appear on both list. It’s on both lists because it happens a lot, it’s hard to get right and because you can do everything else right in security, but if your software is vulnerable, you’re vulnerable.
Many of the other causes of a data breach can be addressed with improved, or better enforced, policies and procedures. But not software vulnerabilities. That requires a very specific solution. One that is an ongoing process and includes a good deal of software security expertise.
An Under the Radar Solution
Admittedly, not every company has access to, or can afford, the in-house security expertise required to ensure secure software. But there are options today.
One under the radar solution for improving software security is threat modeling. While threat modeling is gaining in popularity, adoption has been slower than hoped for. Perhaps that’s because threat modeling can seem intimidating for those who haven’t done it. But it doesn’t have to be.
Yes, if you had to build a threat model from scratch with no prior experience, that would be intimidating. But you don’t have to. There are threat modeling tools available today, like ThreatModeler, that let users build threat models from vetted threat model templates already proven to work in their prescribed use case.
Using ThreatModeler today, you can have 80% of your threat model done even before you start. So, there are no more excuses for software vulnerabilities making the list of common causes of a data breach. Hopefully in the future, that will no longer make the list thanks to products like ThreatModeler.