How New Cyber Threats and the Human Factor Escalate Breach Risks for Midsize Companies

Data breach risks are soaring. The amount and types of sensitive personal information collected multiply every day: personally identifiable information (PII), protected health information (PHI), biometrics, and information from smart devices and social media, to name a few.

Two categories of risk make it easier for malicious actors to launch cyber-attacks on this data, increasing the likelihood of unauthorized exposure—a data breach. Technological vulnerabilities from sources like artificial intelligence (AI) and the Internet of Things (IoT) generate a never-ending flow of threats. Human and organizational factors must also be considered.  

When it comes to data breaches, mid-market organizations have the same cybersecurity and human risk factors and regulatory requirements as larger enterprises. However, they often lack the funding and in-house expertise to address these risks and compliance obligations as effectively. Without the proper resources at hand, midsized companies in fact face greater breach risks than larger businesses.

To minimize breach risks, midsized companies must understand how both cyber threats and the human factor impact the security of their data and systems:  

Cybersecurity Risk Factors

The rapid rise of artificial intelligence (AI)

AI is everywhere. One survey reports that 77% of companies are using or exploring the use of AI, and 83% say it’s a top priority in their business plans. Indeed, AI has the power to help businesses transform how they work and spur innovation. But it also creates immense privacy and security risks that evolve as AI itself evolves. Some threats include:

• Increase in social engineering and phishing attacks, due to enhanced cybercriminal capabilities from generative AI.

• Malware that can elude traditional security measures. There’s even malware that uses machine learning to change behavior based on its target environment.

• Deepfakes, which are videos, photos, or audio recordings that appear to be real but have been manipulated with AI. Even non-technical bad actors can quickly and cheaply generate convincing deepfake content, which can be used to threaten an organization’s brand, impersonate executives, and launch effective phishing attacks.

• Behavioral tracking and surveillance, which can be used for purposes like marketing and employee monitoring. These uses could have serious privacy and legal implications. 

The plague of ransomware

Cybercriminals are targeting smaller companies—not just enterprises—for ransomware attacks. And they’re paying the highest price for it.

A Sophos study found that even the smallest organizations are regular targets, with 47% hit by ransomware in the last year. The lower and mid-market organization also had the greatest uptick in overall recovery costs, from $885,018 to $2.885 million—a $2 million increase.

Ransomware, a malicious type of software that blocks access to systems and data until the target company pays up, has advanced, creating even greater threats to organizations unprepared for such an attack. 

Double-extortion ransomware uplevels the typical ransomware attack. Malicious actors encrypt sensitive customer or patient data and threaten to publish it on the dark web, sell it, or permanently block access if the ransom payment is not made. 

Another trend, ransomware-as-a-Service (RaaS), makes it easier for less tech-savvy bad actors to launch a ransomware attack, which increases the likelihood of such an attack. The Harvard Business Review notes the many ways developers can franchise their malware, from a simple purchase, as a monthly rental, or splitting the ransom money.

Threats in the cloud

Using cloud storage makes good business sense for midsize organizations; it’s accessible, cost-efficient, convenient, and scalable. It’s no surprise that more than 60% of the world’s corporate data is stored in the cloud—and that cyber attackers are after that data. In fact, more than 80% of data breaches involved data stored in the cloud, according to a 2023 IBM report.

The cloud is noted for security, but misconfiguration can make it an easy target, according to MIT professor Stuart Madnick.  Cloud technology is evolving, and IT teams lack the experience to properly secure data in the cloud. Madnick said hackers are able to access cloud data and services in part because of misconfigurations such as not changing default settings, unrestricted ports, and unsecured backups.

Danger on the edge: the Internet of Things (IoT)

Smart devices, from watches to industrial control systems, are a part of everyday life at home and work. Today, there are more than 24 billion active internet of things (IoT) and operational technology (OT) devices. IoT devices can add business value and reduce complexity and cost for many industries, from manufacturing to healthcare. 

However, they also create significant cyber risks that can lead to a data breach. For example, doctors often remotely monitor patient health with wearable devices, generating massive amounts of data that’s stored, managed, and analyzed in the cloud. 

As we’ve seen, misconfiguration can make the cloud an easy target for cybercriminals. Similarly, IoT devices not properly developed or secured create vulnerabilities that can lead to service disruption, data theft, or data or service manipulation. In the above healthcare example, the cloud and IoT device create double vulnerabilities for hackers to exploit.  

Often, smart devices have weak default passwords and login information, leaving them open to password hacking and brute-forcing—the use of trial-and-error to guess login information or encryption keys, or to find a hidden web page. 

The increased number in IoT devices has also increased the risk of malware and ransomware to exploit these devices. Another risk is a distributed denial of service (DDoS) attack. This occurs when cybercriminals use hijacked devices as an attack base to infect more machines or hide malicious activity. 

IoT devices also increase data privacy risks. They collect, send, store, and process an enormous amount of personal data, which can be shared with or sold to third parties.

Human and Organizational Risk Factors

A deficit of cybersecurity talent

While cyber threats continue to escalate, the pool of cybersecurity talent is shrinking. Globally, there is a shortage of nearly 4 million cybersecurity professionals, with more than 500,000 in the United States alone. 

Factors such as unclear career paths, outdated training, high-cost certifications, and job stress deter people from choosing a cybersecurity career, the World Economic Forum reports. Those who do choose to work in cybersecurity can earn an average starting salary of over $130,000 yearly—potentially too costly for midsized organizations to pay.

Distributed teams

In 2020, the world went remote almost overnight, and working from home became the norm. Even though the pandemic has ended, remote and hybrid work are commonplace. 

A distributed workforce, while more convenient and flexible, increases an organization’s cyber risks. Employees can remotely access company systems and data through the cloud using multiple devices—even personal ones—and via home networks that may be less than secure.

All this creates more access points, which expands the attack surface for cybercriminals and makes network monitoring much more complex. In addition, remote work expands physical security risks, such as leaving a work screen open in a public place.

Distributed data

It’s a business necessity for an organization to share data with third parties, such as suppliers, partners, vendors, and business associates. This can include sensitive personal information like customer payment data and electronic protected health information (ePHI). 

While data sharing is an accepted and necessary practice, companies don’t have control over a third party’s cybersecurity programs—which may not be as robust. In fact, a security vulnerability at a single vendor creates vulnerabilities for all their customers. In Q3 2024, supply-chain attacks increased 203% over the previous quarter.

2023’s MOVEit hack exemplifies the devastating and ongoing risks from a third-party breach. A zero-day vulnerability in Progress Software’s MOVEit managed file transfer app created a breach affecting the sensitive data of millions of people, including the possible theft of insurance and financial information. More than 2,500 organizations were affected, including well-known brands like the BBC, British Airways, Ernst & Young, and Amazon.

Open data across the organization

Employees throughout an organization must have access to sensitive data, such as electronic health records, to do their job. Employees are often a significant source of breach risk. 

Verizon’s 2024 Data Breach Investigations Report found that 68% of breaches involved “a non-malicious human element,” like becoming a victim of a social engineering attack or making a mistake. Social engineering attacks such as phishing emails can lead to business email compromise (BEC), which can lead to financial loss or the unauthorized sharing of sensitive data.

Minimizing Breach Risk amid Cyber Threats and Organizational Realities 

The fast-changing nature of cyber threats combined with the human element can be overwhelming when considering how to minimize breach risks. It requires addressing both sets of risk factors and how they relate.

Pondurance can help. We are the only managed detection response (MDR) cybersecurity service designed from the ground up to minimize data breach risk for mid-market organizations. Our platform provides a complete set of technologies and tools, backed by an always-on concierge security operations center (SOC), for protection before, during and after incidents.

Have a third party, vendor, or business associate adopting AI? Request an MDR demo.

Have a vendor using AI? Get a third-party risk assessment today.