Is the “Human Factor” in Security Breaches Overblown?
August 24, 2023
If you google “breaches and human error,” you’ll get a seemingly endless list of articles that declare 82%, 88%, and even 95% of breaches are the result of human error. A recent article in Security Magazine suggests that this may not be the case. The article details a two-year-old VMWare vulnerability identified as CVE-2021-21974. Large-scale ransomware attacks have targeted thousands of VMware ESXi servers worldwide with many more unpatched servers at high risk of exploitation. The Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA) estimates that over 3,200 servers have been compromised globally as a result of this vulnerability.
Although enterprises might be required to disclose a breach publicly if data has been compromised, they are not required to reveal the cause of the breach. Are they electing not to disclose those breaches that result from an unpatched vulnerability? Patrick Tiquet, VP of security and architecture at Keeper Security, said that VMware did share their vulnerabilities and released the update to remediate them nearly two years ago. “It should come as no surprise that threat actors are now taking advantage of known vulnerabilities at organizations that failed to deploy the security patches,” he said. With more than 24 billion sets of stolen credentials available on both the dark web and public web, and more than 26,000 new vulnerabilities discovered in 2022 alone, should we believe that only 10 to 20 percent of all breaches aren’t caused by human error?
Critical intelligence for general counsel
Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.