MIT report details new cybersecurity risks | MIT Sloan

Through intellectual rigor and experiential learning, this full-time, two-year MBA program develops leaders who make a difference in the world.

A rigorous, hands-on program that prepares adaptive problem solvers for premier finance careers.

A 12-month program focused on applying the tools of modern data science, optimization and machine learning to solve real-world business problems.

Earn your MBA and SM in engineering with this transformative two-year program.

Combine an international MBA with a deep dive into management science. A special opportunity for partner and affiliate schools only.

A doctoral program that produces outstanding scholars who are leading in their fields of research.

Bring a business perspective to your technical and quantitative expertise with a bachelor’s degree in management, business analytics, or finance.

A joint program for mid-career professionals that integrates engineering and systems thinking. Earn your master’s degree in engineering and management.

An interdisciplinary program that combines engineering, management, and design, leading to a master’s degree in engineering and management.

A full-time MBA program for mid-career leaders eager to dedicate one year of discovery for a lifetime of impact.

This 20-month MBA program equips experienced executives to enhance their impact on their organizations and the world.

Cloud misconfigurations, more sophisticated ransomware, and vendor exploitation attacks are contributing to rising cyberattacks.

Despite rigorous security efforts by all organizations, cybercriminals are still finding new ways to exploit personal and business data. Data breaches increased by nearly 20% in the first nine months of 2023 compared with all of 2022, and ransomware attacks escalated by almost 70% in the same time frame.

In fact, data breaches hit an all-time high in 2023 — a trend fueled by increasing online interactions that put personal data in the crosshairs of criminal activity, according to MIT professor Stuart Madnick.

Organizations aren’t unaware of heightened cybersecurity risks. In fact, cybersecurity has escalated from an IT-level discussion to a C-suite and boardroom issue, with worldwide spending on security and risk management projected to hit $215 billion in 2024, according to research firm Gartner. Yet hackers are finding more creative ways to bypass security measures, motivated by the troves of unencrypted personal data being collected and stored in enterprise systems, said Madnick, the co-founder and co-director of Cybersecurity at MIT Sloan.

Once hackers realize an organization is vulnerable to an attack, they will repeatedly attempt to breach its network, he said. In fact, 95% of organizations surveyed by IBM between March 2022 and March 2023 said they had experienced more than one data breach.

“Most companies are aware of the threat and are doing things to improve security, but the bad guys haven’t stayed still either,” Madnick said. “You have to think beyond what you did for protection last year.”

In a new report, Madnick identifies three primary reasons behind the latest uptick in personal data theft: misconfiguration of cloud environments, the emergence of new and more dangerous types of ransomware, and increased exploitation of vendor systems (an attack vector sometimes referred to as a supply chain breach).

Madnick and his team have identified three scenarios contributing to the recent increases in the frequency and impact of personal data breaches.

More than 80% of data breaches involved data stored in the cloud, according to a 2023 report.

Cloud misconfiguration. Companies have been migrating data and core systems to the cloud in droves, to the point where an estimated 60% of corporate data now resides in the cloud. Yet the technology is still evolving, and many IT organizations don’t have employees experienced in the nuances of the cloud configurations and procedures required to properly secure data. According to the IBM survey, more than 80% of data breaches involved data stored in the cloud. Cloud misconfigurations, such as failure to change default settings, unrestricted ports, and unsecured backups, are just some ways hackers are gaining access to cloud-based data and services, Madnick said.

Organizations can mitigate misconfiguration vulnerabilities by addressing security early in the build cycle of systems, hiring or developing the right talent and skill sets to configure a dynamic cloud environment, and conducting proper audits and monitoring.

The evolving and growing threat of ransomware. Ransomware attacks, where hackers take control of institutional data and demand a ransom in exchange for its return, have become more common and are changing in nature. Historically, companies hit by ransomware faced operational outages and had their corporate data locked up. Today, it’s become standard for bad actors to also steal personal data collected and stored by organizations, and to take aggressive actions such as threatening to leak stolen consumer data on the dark web — essentially adding blackmail to their ransom attacks.

Madnick said that more sophisticated ransomware techniques, including those incorporating artificial intelligence and cooperative efforts by ransomware gangs, are contributing to the rise in ransomware attacks. Ransomware-as-a-service, essentially a “productized” version of malware that’s available to bad actors, is also driving up attacks.

Diligent data backup and restore practices remain important protection tools for corporate data. Organizations also need to monitor for and stop any data exfiltration from internal systems and embrace encryption practices so stored data is not useful to attackers, Madnick said.

Vendor exploitation attacks. All the vendor-provided mission-critical accounting, inventory, and customer management systems used by companies also offer a way into corporate systems (something Madnick refers to as a “side door”). These side doors allow vendors to provide regular updates and patches, but attackers can exploit vulnerabilities in the vendor’s systems to reach customers using those services — a vector known as a supply chain attack.

A single unpatched vulnerability in one vendor’s software allows hackers to gain access to the personal data of many organizations across the globe that use that vendor’s software. In one example cited in Madnick’s report, hackers exploited a vulnerability in the MOVEit managed file transfer software that affected over 2,300 companies in more than 30 countries. As a result, more than 65 million individuals’ data had been compromised as of October 2023.

To avoid or minimize damage from this scenario, Madnick recommends using specialized companies to evaluate the cybersecurity health of any vendor being considered as a partner. It’s also important to take steps to minimize vendors’ side-door capabilities by limiting their access to only what’s required.

Other recommendations for companies from the report include the following:

“There’s very little you can do to guarantee you’re not a victim, but there are a lot of things you can do to be more secure that aren’t being done,” Madnick said.

Read the report: “The Continued Threat to Personal Data — Key Factors Behind the 2023 Increase”

The mission of the MIT Sloan School of Management is to develop principled, innovative leaders who improve the world and to generate ideas that advance management practice.