Why Do Cyberattacks and Data Breaches Happen, Anyway?

Equifax, Uber, Yahoo, Boeing, UnderArmor, MyFitnessPal, Panera, and even US power plants and gas pipelines. Private sector or public sector, big or small, it seems cyberattacks hit anywhere and everywhere. The ever-increasing news about hackers leaking data—your data—just keeps coming and leaves you with one question on your mind:

Why the F&#$ do these cyberattacks keep happening?

It’s not like we don’t know how to prevent cyberattacks—well, for the most part. There are always zero-day exploits, or cyberattacks that exploit a security vulnerability nobody else knows about yet. But once a flaw becomes known, finding a way to at the very least paper it up doesn’t usually take too long.

But we end up leaving ourselves vulnerable, even when we don’t have to, for a few reasons.

Money, Money, Money

“If we command our wealth, we shall be rich and free. If our wealth commands us, we are poor indeed.”

Edmund Burke

Of course, these attacks occur usually out of a desire to make money. Stealing data on a business’s customers nets you a treasure trove of ill-gotten information you can sell for a pretty penny to identity thieves and unscrupulous businesses looking to target new customers of their own who know how they can use that data to make even more money. Love of money is the root of all evil, after all. And that will likely hold true until we evolve into a post-scarcity Star Trek utopia following the atomic horrors of World War III.

But cyberattacks don’t just happen out of a desire to cash in.

They also succeed because people want to make money, or more accurately, hold onto the money they have.

In many cases, IT experts know exactly how to stop most cyberattacks from occurring. The problem is that when they go to their boss (if they’re an internal IT department) or client (if they’re a to talk about what to do, this happens:

• IT department/provider: “We need to replace this old hardware/buy new equipment/hire more programmers to fix this horrible bug in your system/etc. to keep your organization safe from cyberattacks.”
• Boss: “Okay. How much does it cost?”
• IT: “This much.”
• Boss: “Holy hell, that’s way too much to spend! Forget about it, we’ll just tell everyone to be really, really careful. That should work.”

When you’re an IT professional, you know this conversation by heart because you’ve gone through it probably thousands of times before.

Spoiler alert: You’re right and they’re wrong, but good luck trying to convince them of that.

When Equifax was attacked by cybercriminals in 2017, “they had already been told about the fix… well before the breach even happened. And yet they failed to do so fully in a timely manner.”

One reason these cyberattacks succeed is that they exploit a willingness to cut corners and blow off important upgrades as a cost- and productivity-saving measure. When WannaCry swept through Europe in the summer of 2017, many of the UK’s NHS hospitals were affected because they still relied on computers running Windows XP (which was no longer supported by Microsoft as of 2014), for example. Microsoft actually had to issue an emergency patch for Windows XP—something they’ve never done for an unsupported operating system before.

Many cyber attacks hitting businesses of all sizes happen not because of some smooth criminals taking advantage of a zero-day vulnerability with wizard-like hacking skills, but because people just aren’t trained to avoid opening suspicious email attachments or LinkedIn messages.

Whether you’re big or small, it can seem like it’s just hard to do the bare minimum to protect yourself.

This comes in the form of a lot of excuses that ultimately come down to money.

• “Replacing equipment will lead to too much downtime and lost revenue.”
• “Training employees will be too costly and will strain productivity.”
• “We can’t afford to hire more people.”
• “We don’t have the budget.”

This isn’t necessarily about greed, although ascribing it all directly to penny-pinching fat cats at the top would do a lot to remove the moral ambiguity from this situation. Many people, especially small business owners and government-run agencies, find themselves caught between a rock and a hard place balancing all of the things their budgets are supposed to cover already—and throwing on additional cybersecurity preparedness and tossing out equipment that should have gotten the boot a decade ago further strains that.

For the biggest businesses, of course, that’s no excuse. A CEO who makes more money in the time it takes for him to poop than one of his workers makes in a week can afford to take the necessary precautions. When you’re a small business owner struggling to get by, on the other hand… things get tough.

But even once you’ve gotten past the money issue, you get into another problem, which is mainly…

A CEO who makes more money in the time it takes for him to poop than one of his workers makes in a week can probably afford to take the necessary precautions.

Even Smart People Can Be Stupid

“You are the dumbest smart person I’ve ever met.”

Will Smith, “I, Robot“ (2002)

Sometimes the top makes bad hiring decisions. Sometimes, as is the case with the oft-quoted “Peter principle,” good workers get promoted to their position of least competence. And sometimes otherwise-smart people just screw up.

When the Equifax breach happened back in 2017, the former CEO, while being grilled by the House Energy and Commerce Committee, claimed that it had been the fault of a single individual in the IT department who had failed to apply the patch to fix the known security issue that led to the breach occurring.

“I don’t think we can pass a law that fixes stupid.”

Rep. Greg Walden (R-Ore.)

The “Peter principle” posits that good workers get promoted to their position of least competence, at which point they are no longer good enough at their job to continue advancing yet not quite terrible enough to be demoted or fired.

But Equifax was a huge corporation. How could one person’s mistake make it all the way through without no one noticing?

Even one person’s brain-fart can be a serious threat. The Swiss Cheese Model applies here as it does to everything else. The holes are never supposed to line up properly, but when the stars are right and the zodiac is in alignment, something can slip through.

Sometimes bigger isn’t always better. The more people you have monitoring something, the more likely whoever notices something that seems just a little “off” will think to themselves, “Someone else will take care of it, I don’t need to get up out of my desk or send out a concerned little email or anything.” It’s called the “bystander effect,” and it grows stronger the more people there are you think you can pawn off responsibility to. People have many psychological justifications to explain their inaction, ranging from a simple “I don’t care” to “Someone more qualified than me will handle it.”

People have many psychological justifications to explain their inaction, ranging from a simple “I don’t care” to “Someone more qualified than me will handle it.”

For some people, it’s “Blame Someone Else Day” every day.

For others, it only happens on the first Friday the Thirteenth of the year. Ultimately, nobody is 100% immune to screwing up. But if you’re lucky, 99% will be good enough… so try for 99%.

Here’s where you can start:

• Creating Strong Passwords
• Using Multi-Factor Authentication
• Teaching Employees to Avoid Phishing
• Basic Anti-Ransomware Best Practices
• Ransomware Prevention Guide