Recent Cybersecurity Breaches: 10 Critical Lessons for Companies

By now, you’ve heard it over and over: Cyber threats are growing more frequent and sophisticated by the day.

Yes, there is no shortage of content warning businesses not to grow complacent about cybersecurity. Yet, while large businesses invest heavily in protecting against attacks, hackers are increasingly pivoting to target small and medium-sized businesses — a neglected and under-reported arena filled with softer targets due to insufficient security measures.

Over 43% of cyber attacks in 2023 were against small businesses, only 14% of which were prepared for such an attack, so this is no small matter.

Cyber threats evolve quickly, especially in the age of AI, which can make hacking tools smarter and more challenging to detect.

That’s why analyzing real-world cybersecurity incidents is invaluable for identifying oversights and potential lapses in your safeguards. After all, if a vulnerability granted cybercriminals access to another company, that same vulnerability could leave your organization exposed, too.

Let’s dive into ten lessons from headline-grabbing cybersecurity breaches that could help your business avoid becoming tomorrow’s front-page story.

What lessons can be learned from the biggest cyberattacks in recent history?

1. Secure Third-Party Supply Chains

Vulnerabilities in trusted partners’ tools or services could provide backdoor access to your systems, as in cases like the breach of Progress Software’s MOVEit file transfer solution.

By compromising the security of vendors, contractors, and suppliers, attackers can access the networks of countless organizations around the world.

Lesson: Assess supplier, vendor, and partner relationships thoroughly, scrutinizing security measures and limiting integration points that grant access to your infrastructure.

  • Continuously audit third parties and ensure you have visibility to their changing risk profiles as you scale reliance.
  • Prioritize partners demonstrating advanced and evolving capabilities to withstand sophisticated attacks targeting them or their clients.

2. Train Staff Against Phishing and Social Engineering

Despite increased awareness of cyber risks and training against threats like phishing, social engineering is an alarmingly pervasive and effective attack vector.

Recent incidents, including the breach of MGM Resorts, which (if the hacking group which claimed credit is to be believed) was enabled by “vishing” or phone call trickery, highlight persisting vulnerabilities to human manipulation.

Lesson: Comprehensive, continuous, and creative approaches to security awareness education are imperative to combat social engineering threats.

  • Exhaustively train staff in scrutinizing communication attempts across channels, identifying subtle manipulation red flags in emails, calls, and even coworker requests.
  • Reinforce clear reporting procedures for suspected phishing, vishing, and suspicious contacts.
  • Understand that technology alone cannot protect against exploits weaponizing human trust and psychology against us.

3. Restrict Access and Least-Privilege Permissions

The ability of hackers to access the personal information of over 37 million T-Mobile customers highlights the perils of improperly managed credentials and excessive access.

Lesson: Reduce risk exposure through stringent access control policies ensuring least-privilege permissions to users across infrastructure, systems, services, and data repositories.

  • Review access levels to sensitive areas regularly and remove outdated clearances no longer required for specific roles and applications.
  • Integrate stringent multi-factor authentication (MFA) requirements across authentication gateways to critical systems, tools, apps, and network segments.
  • Manage, identify, and access governance vigilantly via best practices to keep cybercriminals at bay.

4. Don't Delay Software Updates and Patches

The ransomware attack inflicting over six weeks of severe postal service disruption in the UK by exploiting flaws in the security of Royal Mail, the British mail company, underscores how technical debt and inadequate patch management regimens render organizations vulnerable.

Lesson: Prioritize timely patching and upgrading software assets across the environment, focusing most urgently on internet-facing services and tools exposed to higher risk.

  • Consider automation opportunities to streamline update processes wherever possible.
  • Don’t allow oversights in updates and improvements to provide unnecessary openings for ransomware and malware already addressed by software publishers.

5. Manage the Risks of Remote and Hybrid Work Environments

Distributed, hybrid work magnifies attack surfaces through home networks, remote access paths, and unmanaged devices operating off corporate premises.

Multiple studies have revealed that remote or hybrid work is linked to increased cyber exposure.

Lesson: Implement a zero-trust framework for secure remote work environments, ensuring that employees have least-privilege access to corporate resources regardless of their location.

  • Establish VPN-protected corridors for remote access to internal systems.
  • Enforce device compliance for remote access via mobile device management and endpoint protection software.
  • Institute data loss prevention controls tailored to cloud apps and storage solutions, among remote staff and the need for enhanced security measures in these areas.

6. Lock Down and Monitor the API Attack Surface

While APIs drive efficient automation and connections between crucial business applications, they also increase exposure. The breach of T-Mobile highlights the growing imperative of managing this enlarged attack plane.

Lesson: Comprehensive API security must complement business priorities, leveraging these interconnections through scaled platforms securing authentication, authorization, encryption, activity logging, and continuous scanning against evolving threats.

  • Conduct rigorous testing specific to uncovering API weaknesses.
  • Treat APIs as gateways to your most critical assets, necessitating controls on par with traditional network access.

7. Guard Against Ransomware Spread

Prominent attacks like those launched against Royal Mail and manufacturing giant Clorox demonstrate ransomware’s devastating potential if protections fail to limit blast impact. Infection on one system enables threat actors to achieve widespread encryption and irreparable destruction rapidly.

Lesson: Network microsegmentation, multi-factor authentication protocols for admin roles, and air-gapped offline backups provide fundamentals for reliable business continuity if ransomware hits core infrastructure.

  • Prepare response capabilities to isolate and shut down infected machines automatically.
  • Rehearse crisis scenario management via regular simulations to confirm adequate precautions against worst-case scenarios involving ransomware.

8. Prioritize Early Anomaly Detection in Threat Analytics

T-Mobile’s second data breach of 2023 lasted nearly a month before it was detected. And Royal Mail’s immense disruption downed export services for weeks.

These extended opportunities for adversaries to inflict more significant harm spotlight the severe risks of lengthy dwell and down times.

Lesson: Early detection is vital to rapid recovery.

  • Prioritize continuous analysis via tools like behavioral analytics engines strengthened by machine learning.
  • Shorten incident response through enhanced focus on automation and analytical capabilities on unstructured threat hunting.

9. Maintain Resilience Through Incident Response Plans

While efforts to prevent successful attacks are essential, you should also be prepared for the fallout of a breach. Lacking an incident response plan renders organizations vastly more vulnerable to destructive attacks — not to mention fiduciary and legal liabilities.

Lesson: Develop and continually update detailed response plans encompassing containment procedures, internal and external communications, legal disclosure duties, and more.

  • Conduct simulated breach scenarios to fully exercise and evaluate plans with key stakeholders throughout the enterprise.
  • By preparing for the worst, it’ll make all the difference in managing impacts.

10. Reinforce Human Defenses with Continuous Security Awareness Training

Technical controls inevitably have limits in stopping attacks, especially social engineering threats. This reality emphasized the importance of empowering staff to recognize and resist manipulation.

Lesson: Establish a formal security awareness training regimen tailored to your organization’s activities and risks, molded by insights into current staff vulnerability.

  • Look beyond one-off compliance checkbox requirements and arm personnel with a more profound understanding.
  • Awareness is no longer a once-a-year requirement but an ongoing system, keeping the workforce equipped to repel high-tech and social threats.

What are the next steps for businesses?

The time is now for extreme cyber vigilance.

To begin applying these lessons, prioritize assessing risks and vulnerabilities. Conduct simulations and testing to uncover gaps and dedicate leadership and resources to integrating security across systems and staff.

All businesses of any size should think and act proactively and invest now in improved cybersecurity. By implementing these measures, business owners can safeguard their financial and personal data and keep their businesses running smoothly.

Would you like some help?

If you are a client and would like to book a consultation, call us at +1 (212) 382-3939 or contact us here to set up a time.

If you aren’t a client, why not? We can take care of your accounting, bookkeeping, tax, and CFO needs so that you don’t have to worry about any of them. Interested? Contact us here to set up a no-obligation consultation.

Stay informed

Interested in receiving updates in your mailbox? Check out our newsletter, full of information you can use. It comes out once every two weeks, and you can register for it below.

Found this article helpful? Share it with your network.

Facebook
Twitter
LinkedIn
Email

Stay Updated

Subscribe to Our Newsletter

More Insights

Latest News & Articles

Above & Beyond
Traditional Accounting

Our Offices

Phone: 212-382-3939

New York City
2 West 45th Street, Suite 1208
New York, New York 10036

Westchester
565 Taxter Road, Suite 105,
Elmsford, New York 10523

Subscribe To Our Newsletter

Jeff Coyle, CPA

Jeff Coyle, CPA, Partner of Rosenberg Chesnov, has been with the firm since 2015. He joined the firm after 20 years of business and accounting experience where he learned the value of accurate reporting, using financial information as a basis for good business decisions and the importance of accounting for management.

He is a diligent financial professional, able to manage the details and turn them into relevant business leading information. He has a strong financial background in construction, technology, consulting services and risk management. He also knows what it takes to create organizations having built teams, grown companies and designed processes for financial analysis and reporting.

His business experience includes:

Creating and preparing financial reporting, budgeting and forecasting.
Planning and preparation of GAAP and other basis financial statements.
Providing insight on financial results and providing advice based on those results.

Jeff also has a long history of helping individuals manage their taxes and plan their finances including:

Income tax planning and strategy.
Filing quarterly and annual taxes.
Audit support.
General financial and planning advice.
Prior to joining the firm in 2015, Jeff was in the private sector where he held senior financial and management positions including Controller and Chief Financial Officer. He has experience across industries, including construction, technology and professional services which gives him a deep understanding of business.

Jeff graduated from Montclair State University, he is a CPA and member of the American Institute of Certified Public Accountants, New York State Society of Certified Public Accountants and New Jersey State Society of Public Accountants.

Jody H. Chesnov, CPA

Jody H. Chesnov, CPA, Managing Partner of Rosenberg Chesnov, has been with the firm since 2004.  After a career of public accounting and general management, Jody knows the value of good financials.  Clarity, decision making, and strategy all start with the facts – Jody has been revealing the facts and turning them into good business results for more than three decades.

He takes a pragmatic approach to accounting, finance and business. His work has supported many companies on their path to growth, including helping them find investors, manage scaling and overcome hurdles.  His experience and passion for business reach beyond accounting and he helps businesses focus on what the numbers mean organizationally, operationally and financially.

He has a particular expertise in early-stage growth companies.  His strengths lie in cutting through the noise to come up with useful, out of the box, solutions that support clients in building their businesses and realizing their larger visions.

Prior to joining the firm in 2004, Jody was in the private sector where he held senior financial and management positions including General Manager, Chief Financial Officer and Controller.  He has experience across industries, which gives him a deep understanding of business.

Jody graduated with a BBA in Accounting from Baruch College, he is a CPA and member of the American Institute of Certified Public Accountants and New York State Society of Certified Public Accountants.

In addition to delivering above and beyond accounting results, Jody is a member of the NYSCPA’s Emerging Tech Entrepreneurial Committee (ETEC), Private Equity and Venture Capital Committee and Family Office Committee.  

He is an angel investor through the Westchester Angels, and has served as an advisor for many startup companies and as a mentor through the Founders Institute.

How Can We Help?

Send us a message and we will contact you as soon as possible.