COMMENTARY

In its latest “Data Breach Investigations Report,” Verizon made the lighthearted, Taylor Swift-inspired quip that it’s “entering its vulnerability era.” Why? Verizon’s new data found that hackers exploited vulnerabilities to initiate breaches at nearly triple the rate since its last report. While this tactic is still less popular than credential-based or phishing attacks, the exploitation of vulnerabilities in software, supply chains, and basic human nature is on the rise and should be a top concern for cybersecurity leaders. When coupled with what Verizon is calling an “error renaissance” — based on seeing approximately five times as many error-related breaches in 2024 as it saw in 2023 — there’s growing urgency for all parties, from software vendors to security teams to end users, to more quickly identify and remediate weaknesses to seal out hackers. If these issues aren’t addressed, organizations will be leaving their doors wide open to bad actors who are increasingly keen on using vulnerabilities to their advantage.

Managing Vulnerabilities: More Critical, Yet More Difficult, Than Ever

Organizations face an uphill battle when it comes to vulnerability management. In large part, this boils down to security risks becoming increasingly diverse — and some more controllable than others. For instance, while security teams work to develop and enforce consistent policies and data protections across all vectors, factors like Shadow IT can undermine these efforts. Looking externally, vulnerabilities introduced by software vendors or third-party partners can also wreak havoc on organizations. As companies’ attack surfaces increase with new platforms and services, there are more places and opportunities for vulnerabilities to arise. To further complicate the matter, once security teams find vulnerabilities, many can’t patch them quickly enough to beat the hackers. Ideally, fewer vulnerabilities would exist in the first place, but until we reach that utopia, data can help leaders understand where best to focus their efforts.

Risks Posed by Software and Partner Ecosystems

The 180% increase in vulnerability exploitation since last year’s “Data Breach Investigations Report” is the proof in the pudding that this tactic is becoming more widespread among threat actors. The MOVEit breach of 2023 shows how ransomware and extortion-related hackers can run wild with zero-day vulnerabilities, in particular. As vendors take action to secure other popular avenues of attack, such as credentials, by implementing features like multifactor authentication and stronger access controls, hackers are being forced to concentrate their efforts elsewhere. These actors know that by dedicating enough resources to researching their targets, in some cases aided by AI tools, they’re likely to find a vulnerability in their target’s software, supply chain, or employee base.

Interestingly, most software vulnerabilities aren’t net-new to us and fall into classes of weaknesses we’ve been aware of for decades. This is cause for optimism, since there’s opportunity to learn from the past and apply it to our future and start proactively designing software to prevent common vulnerabilities from the get-go. Getting more software vendors to join forces with the Cybersecurity and Infrastructure Security Agency (CISA) and prioritize the security of their products will be key to decreasing the number of zero-day exploits in the years to come. But the responsibility of preventing these attacks doesn’t fall only on software vendors; organizations also need to thoroughly vet their technology partners and complete patches to applications in their tech stacks as soon as they become available. 

Another common place that hackers look for vulnerabilities is along companies’ supply chains. This approach often reaps results for threat actors, since many large organizations work with hundreds or thousands of third-party vendors. Managing risks across these expansive ecosystems is a known challenge, and it only takes one attack to cause a ripple effect across the entire interconnected chain. To mitigate supply chain attacks, organizations need to optimize their processes for third-party risk management and establish that their partners’ security is up to par.

Accounting for Human Fallibility

It’s an old saying that humans are the weakest security link. Even if companies verify their technology is secure and thoroughly vet the security stance of their partners, they can’t underestimate the risks associated with employees and human error. In this year’s “Data Breach Investigations Report,” Verizon found that even after excluding cases of malicious privilege misuse, the “human element” was a component of 68% of the breaches analyzed. Breaches involving the human element could be an employee falling for a phishing email or publishing content for the wrong audience, or a host of other miscellaneous errors. But one thing’s clear — human error is up, so organizations need to increase their employees’ vigilance and awareness of threats. This is especially necessary to combat careless errors, such as unsecured laptops left on trains or sensitive emails sent to the incorrect recipient. Leaders across sectors should ensure they have the proper security controls in place to reduce the incidence and consequence of human errors as much as possible.

Steps for More Proactive Security

With vulnerability exploitation and mistakes occurring at alarming rates, security leaders need to foster a culture of proactive and effective error-catching. Steps to do so include, but are not limited to:

As companies’ attack surfaces increase, partner networks widen, and security teams remain stretched thin, vulnerabilities and errors will continue to be a daunting challenge to overcome. However, while the above steps are only the tip of the iceberg, they will go a long way toward preventing vulnerabilities or human missteps from resulting in the next big breach.