Information Technology and Ethics/Security Breach

The attack surface for information security has risen enormously as each organization's infrastructure has grown significantly over the last decade. Due to this, these firms are unable to safeguard their network despite implementing some of the most cutting-edge security solutions. News headlines announcing many security breaches have become a part of our daily lives. According to a survey done by Accenture, security breaches have increased by 11% in 2018 and 67 percent since 2014.^[1] Many security breaches hit the news, but many more go unnoticed. Various firms process a large number of confidential details such as Personally Identifiable Information (PII), Protected Health Information (PHI), and Payment Card Information (PCI), which has always been vulnerable to cyberattacks owing to its intrinsic value. No firm, large or small, will be immune to a data security incident as our reliance on information and interconnection grows. It is a question of "when," not "if." This chapter examines many case studies of security breaches that have occurred in corporations, outlining some of the reasons why a breach happens, the consequences of a breach, and some recommendations for preventing such instances.

What is a Security Breach?Edit

It is crucial to understand what a security breach is before moving on to the rest of this chapter. Any occurrence that leads to unauthorized access to computer data, applications, networks, or devices is referred to as a security breach. It results in information being accessed without authorization and usually happens when an intruder is able to bypass security measures. The majority of data breaches reveal sensitive information such as credit card numbers, trade secrets, and other proprietary details.^[2] According to recent research issued by Risk Based Security, in the first half of 2021, there were 1,767 publicly acknowledged data breaches, exposing 18.8 billion PII details.^[3] Data breaches are becoming increasingly common as more data is gathered and collected

Causes of Security BreachesEdit

A data breach is commonly assumed to be the result of an external hacker. However, this is not necessarily the case. Intentional assaults can sometimes be traced back to the causes of data breaches. However, because humans are one of the weakest links in the realm of security, it can just as easily originate from a simple mistake by an individual or vulnerabilities in a company's infrastructure. Financial gain (the attacker's objective is to generate money from the stolen data by selling it on the dark web or even demanding ransom by holding the victim's computer hostage), stealing trade secrets or military information, and hacktivism (to make a political statement) are some of the reasons malicious actors breach secure networks.

The following are some causes of security breach that are regularly exploited by malicious attackers in the wild,

Lack of awareness and poor habitsEdit

Lack of knowledge and training is one of the critical reasons for security breaches. Due to a lack of knowledge and ignorance of the newest cyber trend, previous cyberattacks, or attacker strategies, most workers are ignorant of their role in defending the corporate network, exposing them to security events. People's actions such as using a weak password for accessing organization resources, not locking access to laptops and computers when they leave their desk, not following clear desk policy, using vulnerable software, and misplacing organization assets can often result in security breaches because they are unaware of the security policies in place and the necessity to follow them. Such situations may be effectively avoided by notifying each employee of the measures that must be taken to keep the organization safe and by giving appropriate security training and monitoring the results.^[4]

Disposal of the E-wastesEdit

As critical data handled by a business is typically housed on storage devices/servers and accessible by employees for their everyday activities, the security of such data should always be a top priority for each individual. Employees frequently discard printed confidential material without following appropriate techniques like shredding, which can have severe ramifications for the organization if retrieved by a threat actor. In addition, companies are discarding a large number of servers and hard drives without following proper procedures as they upgrade their infrastructure to deliver better services. Such casualties can lead to a data breach as an attacker can easily retrieve data from these hard drives and servers for personal benefit. In order to ensure that no data is present in the memory of the computational devices that are about to be discarded, appropriate techniques like data erase or degaussing must be utilized.

Server MisconfigurationEdit

While the consequences of security misconfiguration are numerous, they are generally overlooked by phishing, ransomware, malware, and other common security flaws exploited by threat actors. Misconfiguration occurs when a system or database administrator or developer fails to correctly setup an application's, website's, desktop's, or server's security architecture, resulting in dangerous open paths for hackers. Instead of default configurations, it is highly recommended that each computing equipment in the organization's network be configured according to the baseline defined by the corporate regulations as misconfigurations can lead to a massive data breach and result in financial repercussions, such as a temporary loss of business, lost customers due to lack of trust (and thus, lost revenue), and could lead to penalties through litigation and possible regulatory fines.

Remote WorkEdit

Due to the recent pandemic, many firms have adopted the Work-From-Home culture and have implemented different technologies within their network to allow remote work. To prevent these new technologies from increasing the organization's attack surface, it must be assured that access to organizational resources is continuously monitored and allowed only to company-issued assets. In addition, all the devices accessing the company's resources over the internet must be compliant with the organization's policies and regularly patched. Finally, any employee accessing the organization's internal network and resources must use secure technology like VPN to make this communication safe.

Impact of Security BreachesEdit

A data breach has the potential to devastate a company entirely. This is particularly problematic for small and medium-sized companies (SMBs), as more than half of them will close within six months of the assault. While bigger businesses and government institutions are unlikely to be forced to close their doors, they will also face significant implications. The impact of a security breach varies based on the affected business, the industry, and the type of breach that occurred.^[4] However, there are some common impacts that these businesses experience, such as monetary loss and reputation damage. Financial expenses amount to $4.24 million on average, according to the Ponemon Institute and IBM, with lost business accounting for 38% of the total. ^[5]In addition, after a data breach, a company's reputation suffers, as customers prefer to do business with organizations they can trust for securing their personal information.

Some of the expected consequences of a security breach are,

Financial LossEdit

A data breach's financial effect is undoubtedly one of the most immediate and severe outcomes that victim businesses must cope with. Compensation for impacted consumers, incident response activities, investigation of the breach, investment in new security measures, legal expenses, and fines for non-compliance can all add up to a significant amount of money. In addition, a data breach may potentially have a significant influence on the stock price and valuation of a firm. According to a recent report by the Ponemon Institute, the global average cost of a data breach has increased by 12% in the last five years to £3.2 million.^[5]

Reputational DamageEdit

The most damaging and horrific consequence of a security compromise is the loss of consumers' and the loss of stakeholders' confidence. Reputational damage leads to a loss of customers and, in turn, a decrease in sales. The negative press coupled with a loss in consumer trust can cause irreparable damage to the breached company. Moreover, the reputational repercussions of a data breach can last much longer than the short-term fine, causing long-term damage due to customers' loss of trust and loss of potential future business opportunities with different investors, as the vast majority of people would not do business with a company that had been breached, especially if it failed to protect its customers' data.

Operational DowntimeEdit

In the aftermath of a data breach, business activities are frequently affected. First, companies must control the breach and thoroughly investigate how it happened and what systems were accessed. It is possible that operations will have to be shut down altogether until investigators have all the information they need. Depending on the severity of the breach, this procedure might take days or even weeks. This can have a significant impact on revenue and the capacity of a company to recover. The average cost of a network outage, according to Gartner, is roughly $5,600 per minute. This works up to almost $300,000 every hour. This will undoubtedly vary depending on the size of the organization and the sector in question, but it will definitely have a disastrous effect on corporate efficiency.^[6]

Legal ActionEdit

Organizations are legally required to demonstrate that they have taken all necessary precautions to secure personal data under data protection regulations. In addition, individuals might initiate legal action to demand compensation if their data is compromised, whether intentionally or unintentionally. In the United States, class action lawsuits have risen dramatically as victims seek monetary recompense for their data loss. As the frequency and severity of breaches continue to rise, we can expect to see more of these group cases being brought to court.^[7]

Loss of Sensitive DataEdit

The implications of a data breach that results in the loss of sensitive personal data may be disastrous. Personal data includes anything from a name to an email address, IP address, and photos that may be used to directly or indirectly identify an individual. It also includes sensitive personal information, such as biometric or genetic information, that might be used to identify a person. Biometric information is also vital to fraudsters, and it is worth far more than credit card numbers and email addresses. Breaches that reveal sensitive data can have severe consequences that far outweigh any financial or reputational harm.^[4]

Below the Surface CostEdit

In addition to the monetary costs of incident response, there are several intangible costs that may wreak havoc on a company long after the event has passed. For example, the impact of operational interruption is sometimes underestimated – particularly among businesses that lack formal business resilience and continuity plans – and small businesses that already struggle to manage cash flow may suffer catastrophic increases in insurance premiums or higher borrowing rates after such incidents.^[7]

Attack Vectors for Security BreachEdit

What is an attack vector?Edit

An attack vector is a technique for gaining unwanted network access to conduct a cyberattack in cybersecurity. Cybercriminals can use attack vectors to acquire sensitive data, personally identifiable information (PII), and other valuable information following a data breach by exploiting system flaws.^[8] As hackers seek unpatched vulnerabilities posted on CVE and the dark web, the number of cyber risks is on the rise, and no one solution can protect against every attack vector. In addition, as cybercriminals are becoming more adept, antivirus software alone is no longer sufficient, and so to reduce cybersecurity risk, businesses must use defense-in-depth strategies.

Common Types of Attack VectorsEdit

Some of the most widely used attack vectors to successfully breach a secure network are,

Compromised CredentialsEdit

Usernames and passwords remain the most frequent sort of access credential, and they continue to be exposed as a result of data breaches, phishing frauds, and malware. Credentials offer attackers unrestricted access if they are lost, stolen, or revealed. This is why businesses constantly invest in systems to check for data breaches and credentials leaks. Password managers, two-factor authentication, and biometrics can help to limit the chance of credentials being leaked and causing a security breach.^[9]

Weak CredentialsEdit

Predisposition to choose convenience over security has long been recognized, and even suppliers are guilty of it. Another primary concern and a typical symptom in firms that implement password complexity requirements is password reuse. Users are more inclined to repeat a single complicated password since they are pushed to remember increasingly complex passwords for various apps. This exposes the company to a credential stuffing attack. ‍Weak passwords and reused passwords mean one data breach can result in many more. To achieve comprehensive security from such attack vectors, reasonable efforts should be made to teach the company how to construct a safe password. In addition, security solutions such as a password manager or a single sign-on tool should be deployed.^[9]

Malicious InsidersEdit

A malicious insider threat to an organization is defined as a current or former employee, contractor, or another business partner who has or had authorized access to an organization's network, system, or data and has intentionally exceeded or misused that access for personal gain in a way that compromises the confidentiality, integrity, or availability of the organization's information or information systems.

RansomwareEdit

Ransomware is malicious software that blocks access to a computer system or data until a ransom is paid. Phishing emails, malvertising, accessing infected websites, and exploiting vulnerabilities are all ways through which ransomware propagates. Data leaks, intellectual property theft, and data breaches are the consequences of ransomware attacks. To reduce the effect of ransomware attacks, make sure that all systems and endpoints are patched regularly, and that critical data is backed up on a daily basis.^[9]

PhishingEdit

Phishing is a type of cyber fraud that uses fraudulent emails or other electronic communications to persuade victims to part with anything of value, such as money or personal information. Phishing is most commonly carried out using email messages sent from a device such as a laptop or a tablet, in which the attacker poses as someone the receiver trusts. In whatever shape it takes, phishing may have a severe security impact. Phishing attacks have evolved to the point that they now often transparently mirror the site being attacked, allowing the attacker to watch everything the victim does while exploring the site and cross any extra security barriers alongside the victim.

Missing or Poor EncryptionEdit

Data encryption converts data into a format that can only be viewed by persons who have access to a secret key or password. Data encryption ensures the security of digital data as it is stored on computer systems and delivered across the internet or other computer networks. Strong encryption should be used for data at rest, in transit, and, if appropriate, in processing. Due to a lack of or insufficient encryption, sensitive data such as credentials is transferred in plaintext or via weak cryptographic ciphers or protocols. This means that an adversary eavesdropping on data storage, transmission, or processing might get access to sensitive information by breaking poor encryption with brute-force methods. To mitigate the effect of such an attack vector, adequate encryption mechanisms must be used, with sensitive data encrypted at rest, in transit, and during processing.^[9]

Target Security Breach - 2013Edit

It was reported that more than 40 million customers had their debit or credit cards compromised by a security breach. The breach originated with a small outside contractor, Fazio Mechanical in Pennsylvania. Fazio, who worked with Target, suffered a breach via malware. Once Fazio’s system was compromised, their VPN (virtual private network) access to Target was in turn compromised. After the breach was exposed, Target hired Verizon to run penetration testing to find weaknesses and vulnerabilities within the system. The initial report showed that the penetration testers were able to obtain a staggering 86% of Target employee and administrator passwords, allowing access to various internal networks. They also found that many systems and services were either outdated or did not have up-to-date security patches. Upon Verizon’s follow-up months later, it was reported that Target had fixed most of the issues and had even taken some proactive steps to further protect their customers.^[10] Target later settled for $18.5 million in a lawsuit that was filed by 47 states and the District of Columbia.^[11] It's interesting to note that Target had no Chief Information Security Officer (CISO) prior to the breach, and that the CEO and CIO lost their jobs as a result of this breach^[12].

Yahoo Security Breach - 2013 - 2017Edit

In September 2016 negotiations were underway for Verizon to purchase Yahoo. During negotiations, Yahoo disclosed that they had been hit with a huge data breach of 500 million registered users in late 2014 by Russian hackers. Even though their information was protected using the ‘bcrypt algorithm’, user’s names, emails, birth dates and phone numbers were all compromised. In December 2016, Yahoo reported that in 2013, a different group of hackers stole data from 1 billion Yahoo registered users. Later in October 2017, Yahoo obtained new information and updated the earlier figure of 1 million users compromised to a staggering 3 billion compromised registered users making the this the largest data breach in history as of 2019. Since disclosing the final breach estimate, Yahoo lost $350 million dollars from Verizon purchase, was fined by the Security and Exchange Commission for $35 million dollars, and, in March 2018, paid out an $80 million dollar class action settlement ^[13].

Home Depot Security Breach - 2014Edit

Shortly after the Target Breach, Home Depot had a breach of their own. It was carried out in a very similar fashion. The attackers gained access to the systems via third-party accounts and were able to install malware directly onto the point-of-sale systems. The attackers collected 56 million debit and credit cards, but they also reportedly collected 53 million email addresses as part of this breach. Many of the same findings from the Target breach were also found during the Home Depot breach. It is estimated that the Home Depot breach lasted nearly five months. The Target breach could have prevented this breach if Home Depot had taken the necessary steps to correct the issues found at Target in their own systems. Home Depot later settled a $27.25 million lawsuit with financial institutions for the loss caused by this breach.^[14]

Adult Friend Finder Security Breach - 2016Edit

On October 18, 2016, an anonymous Twitter user, 1x0123, reached out to the FriendFinder Networks Inc, the company which owns popular adult content websites such as ‘AdultFriendFinder’, ‘Cams.com’, or ‘Stripshow.com’, to warn them of a Local File Inclusion (LFI) vulnerability in their server system. Days later it was reported that the FriendFinder Network’s databases had been compromised with more than 100 million accounts breached. However, this was an early estimate with the final count, reported by LeakSource, amounting to 412 million users that had their credentials and private information stolen. It was later found out the majority of the personal information and passwords stored were protected with a weak SHA1 hashing algorithm. This meant that 99 percent of the passwords were cracked even before LeakSource reported the final breach count. The FriendFinder company had been notifying users of the breach and advocates that users should reset and change their passwords ^[15].  

Equifax Security Breach - 2017Edit

The Equifax breach is arguably one of the worst security breaches in the United States history because the type of information that was compromised was highly sensitive and could lead to identity theft. There were nearly 148 million people affected. The majority of people affected had their names, social security numbers, addresses, and birth dates stolen. A much smaller portion of people only had minimally exposed driver’s license numbers. In this case, a vulnerability in a website application allowed the attackers access to the files containing the sensitive data. The former Equifax CEO, Richard Smith, blamed the entire breach on one former employee.^[16][17] Richard Smith stepped down immediately following the breach. In the wake of the breach, free credit monitoring was offered to those affected. It is unclear at this time what the actual damage of this breach will cost.^[18] Although some critics do not believe it was necessarily a factor in the breach^[19][20], many questioned the fact the Chief Security Officer at Equifax, Susan Mauldin, held two degrees in music and no documented education or certifications related to technology or security^[21].

Google Security Breach - 2018Edit

In December 2018, Google announced that approximately 52 million personal information including users’ name, their email addresses, age, and so on, was at risk of data disclosure due to a security bug. The bug affected users that are related to Google+. Google+ apps users could access public information of their friends, but this bug allowed users to access information that they didn’t register as public information. According to Google, it discovered the bug while conducting standard tests and fixed the bug within one week. Although Google had planned to shut down Google+ service for the consumer in August 2019 because of low usage and discovery of similar security bug in March, it has decided to shut down the service in April 2019 after the incident. ^[22]

Marriott Starwood hotel security breach - 2018Edit

In December 2018, Marriott hotel announced that its reservation database had been compromised and personal information of guests had been stolen from the database due to unauthorized access. It was estimated that hackers had exposed approximately 500 million guests’ information. For 65% of the victims, the stolen information included their passport number and itinerary in addition to their name and address. Some guests also had been stolen credit card number and expiration date. After Marriott had recognized the incident by a security tool, they had asked security experts to investigate it. The investigation team found that the unauthorized access had been carried out since 2014, but it took four years for Marriott to notice the security issue.^[23]

Facebook security breach - 2018Edit

In September 2018, Facebook announced a security breach in which approximately 50 million user accounts were accessed by unknown attackers. According to Facebook company, the hackers had exploited the vulnerability that affected its "View As" function, which users can confirm their profiles that was seen by someone else. Attackers had stolen "access tokens, which are digital keys to keep users logged in. Facebook mentioned that possession of those tokens would allow attackers to take control of user accounts. And also, hackers can access other websites using the Facebook account for logging in.^[24]

SolarWinds Breach - 2020Edit

The American cyber-security group FireEye initially found a comprehensive compromise of private-sector and government networks in late 2020. The hacking of software offered by the US information-technology company SolarWinds appears to be a primary vector for the intrusion. It was reported that about 18,000 out of their 33,000 clients downloaded the malicious update software embedded in their supply chain.^[25] The malicious software employed is known as SUNBURST. SUNBURST can be dormant and unnoticeable while not in use, but when enabled, it allows bad actors access into your network without the proper authorization. Allowing threat actors the time and resources they need to create further persistence.^[26]

Ronin Bridge Breach - 2022Edit

On March 23rd, Ronin, a bridge connected to the popular play-to-earn game Axie Infinity, was exploited for about 173,000 Ether. A sum worth a whopping $600 million at the time. The issue targeted Sky Mavis's Ronin validator nodes and the Axie DAO. According to the developers of the Ronin blockchain, the attacker used stolen private keys to fake a total of 2 transactions. By pretending to be authorized users with those stolen keys, the attacker's coils then sign for those transactions. This dates back to November 2021, when Sky Mavis asked the Axie DAO for assistance in distributing free transactions owing to a high user load. The Axie DAO authorized sky Mavis to sign numerous transactions on its behalf. This was ended in December 2021, although access to the allowlist was not removed.^[27]

Today, these hacks have been tied to the Lazarus Group, A nation-state hacker group sponsored by North Korea.^[28] Any wallet linked to those attacks has since been blocked by several cryptocurrency services.

Today, personal data is everywhere, especially on the internet. Whether signing up for a webstore, social media platform, online medicine, or countless other applications, we give our personal data to companies on the internet. We give many platforms our name, email address, sometimes home address, date of birth, and more. This information is then stored on the platform servers. But perhaps most importantly, we agree to the platform Terms of Service (ToS) and Privacy Policy, often without actually reading them. These documents typically include information such as what data about you is collected, how the company will use that data, and to whom they might sell that data.

   This begs the question: why would someone want to buy this data? The answer is simple: advertisements. Big companies like Google, Facebook (now Meta), Amazon, and others will buy large amounts of user data in order to build an advertising profile. This profile can contain information about you such as your religion, political beliefs, relationship status, gender, and much much more in order to send you ads that the algorithms think you might want to click on^[29]. Companies will pay more to advertising platforms if they think they are more likely to get a click. This entire process is completely legal, as you agreed to it when signing up for the platform by agreeing to the ToS and Privacy Policy. The problem is that most people don’t read these documents before agreeing to them, often because they are long, complicated, and filled with legal jargon that is hard to understand. This is not inherently a bad process, however, as better targeted ads may be useful to some. Perhaps they were looking at reviews for a new car, then suddenly they start getting ads for new cars and they find one they want.

   There have been many unsubstantiated claims that companies like Facebook use your phone microphones to listen in on your conversations to tailor ads, but none of these claims have been proven, and Facebook strongly denies them^[30]. Were Facebook to do this, there would certainly be ethical (and possibly legal) implications, as companies would be listening in on conversations you believed to be private. But as far as we can tell, this is not the case. However, while the legality of the practice of collecting and selling personal data is quite clear, the ethicality is questionable. It is widely known among more tech-savvy users that most websites collect at least some data, even when just browsing without logging in. This is done through the use of computer cookies. Cookies are “small files used by companies to collect information about Internet users”^[31]. On most websites today, there will be a popup or banner asking you to agree to the use of cookies on the website, largely due to the GDPR’s “Right to be Informed” clause^[32]. By presenting this banner and the user agreeing to the use of cookies, data about the user’s browsing habits may be sent to advertisers without the user really knowing that any data is being sent or where it is being sent. Now the problem is that the user has no idea who has their data. This problem becomes even worse in the event of a data breach. For example, if we take the 2018 Google security breach in which the personal data of over 50 million users was exposed, now anyone at all could have that personal data, not just the companies it was sold to. This is where the real ethical problems with data collection become evident. Should we continue to trust these websites with our personal data? Do we even have a choice?

There are many ways that a cybercriminal can get your personal information online, however there are some methods that you can use to prevent your personal data from being compromised. The article, Identity Theft Protection: 10 Ways To Secure Your Personal Data by R.L. Adams mentions a simple solution that is to not use a public wifi hotspot.^[18] Usually any site that is browsed while using a public hotspot is vulnerable to being attacked. This may be done by simply creating a free wifi hotspot in a local area. Users may believe that this is a secure free hotspot and access it. Once the user is in the hacker’s hotspot, they are able to use cookies to grab usernames, passwords, and sites visited. The article, Why Super Bowl Is a Gold Mine for Mobile-Device Hackers by Chris Preimesberger states that, “Free WiFi networks are by far the most troublesome attack surface for both network-based and malware attacks. On average, Sharabani said, Skycure identifies a potential threat in 10.1 percent of all networks.”^[33] So, if one must use the web outside of a protected wifi then they have to try using their own cellular data or to be safe it may be best to wait to use the internet.

If opting to work in a public area rather than a corporate office, a user should also make good use of a VPN to protect against breaches. A good VPN should have access to multiple servers worldwide. Using the VPN allows for a user's data to be protected and their digital footprint to be hidden.^[34] A VPN is useful in allowing a user's data to be encrypted while using the internet. This prevents snooping online and re-routes users' IP to make their location secure and invisible.^[35] This prevents eavesdropping on a user's device.

Another way to protect your personal information from being hacked online is to use different strong and secure passwords for different sites. Since many people use the same password for all the sites they visit, this solution may be difficult for some users. However, this may be the simplest solution to prevent hackers from stealing all of our personal information. Imagine that you only use one password for every site that you browse, if a hacker gets a hold of that password and your username, the hacker would then have access to all of your accounts. By using different passwords you are able to prevent attackers from accessing your personal information. Another best practice is to change the password every 3 months. Also, the composition of the password is very important. Avoid using simple passwords or passwords that involve your personal life. Complex passwords may be hard to remember but are great at keeping your personal information secure. A complex password includes characters, letters, numbers, and symbols. A complex password should also include a minimum of 12 characters.^[36] However, longer isn't always better. It's essential to have a long password; however, the password shouldn't be too long that the user has to write it down to remember it. Writing down the password and leaving it in an unsecured place defeats the purpose of creating a complex password.

In addition to creating a complex password, multi-factor authentication should also be employed for their sites. Therefore, once a user logs in with their traditional credentials, they are prompted to input a set PIN or approve the login attempt on their mobile device.^[37] If opting to use multi-factor authentication with a PIN, the PIN must be unique and hard to guess, just like the password. PIN uniqueness includes not using a PIN containing personal data such as a birthday or social security number digits. A PIN mustn't have consecutive or repetitive values.^[38] PIN uniqueness makes it harder for an attacker to guess the password, assisting in protection against security breaches. In addition, the employment of MFA can be helpful as if a user gets a suspicious login prompt from their mobile device, they can decline the attempt, preventing the attacker from gaining access. This significantly can help in protecting against data breaches.

Other ways to protect your information is by updating your software. Operating systems and applications usually come out with updates to their software frequently. This is done to fix bugs, vulnerabilities to their software, and for other reasons. In order to actually have your software safe, you simply have to keep up to date with the software updates. The article, Keep your PC from being hacked by Nick Mediati mentions that unexpected email attachments should be distrusted and should not be downloaded. She also recommends to upgrade to the latest antivirus software, to prevent hackers from getting access to sensitive information.^[39] The article also mentions that installing a link-checker plug-in tool like AVG, Norton, and McAfee, all have free software tools to check for malicious websites when browsing the web. Although, these are some ways to prevent cyber criminals from getting our personal information, one cannot truly be safe online from hackers, especially if our information is in the hands of a company. All we can do is be aware of sites that are not secure and take precautionary measures.

Attackers have shifted their attacks from directly attacking the computer system to focusing on exploiting the human vulnerabilities in the system. Humans are referred to as the weakest link in the security system due to their misunderstandings, cognitive and social biases, being able to be tricked easily, and being prone to misconfiguring their system.^[40] Therefore, another way to protect against security breaches is to provide user training on proper internet usage. This training should teach the users signals that their device could potentially be breached, how to respond if they think they're receiving a phishing attempt, and why they should avoid clicking on suspicious links. The user training should also encompass all of the sections above, including creating proper passwords, updating your software and its importance, why one shouldn't connect to public Wi-Fi, and how to use a VPN. With technology being a continuously evolving sector, the training should be yearly so users can be aware of all the new changes in technology. Users being more educated are less likely to make mistakes, decreasing the probability of a security breach.

1. ↑ Accenture. (2019). Accenture 2019 Cost of Cybercrime Study. Retrieved from https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf
2. ↑ Kaspersky. (2021, July 12). What is a security breach?. Retrieved from[1]
3. ↑ RiskBased Security. (2021). 2021 Mid Year Report Data Breach QuickView. Retrieved from [2]
4. ↑ ^{a b c} Strawbridge, G. (2020, February 28). 5 Damaging Consequences Of A Data Breach. Retrieved from [3]
5. ↑ ^{a b} IBM. (2022, April). Cost of a Data Breach Report. Retrieved from [4]
6. ↑ Lerner, A. (2014, July 16). The Cost of Downtime. Retrieved from [5]
7. ↑ ^{a b} As, S. (2021, December 10). The Consequences of a Cyber Security Breach. Retrieved from [6]
8. ↑ UpGuard. (2022). What is an Attack Vector? 16 Common Attack Vectors in 2022. Retrieved from [7]
9. ↑ ^{a b c d} Balbix. (2022, April 20). 8 Common Cyber Attack Vectors and How to Avoid Them. Retrieved from [8]
10. ↑ Krebs, B. (n.d.). Krebs on Security. Retrieved from [9]
11. ↑ McCoy, K. (2017, May 23). Target to pay $18.5M for 2013 data breach that affected 41 million consumers. Retrieved from https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/
12. ↑ [10]
13. ↑ McAndrew, Edward J. (2018). “The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far).” In natlawreview.com. Retrieved on April 29, 2019.
14. ↑ Schwartz, M. J. (n.d.). Analysis: Home Depot Breach Details. Retrieved from [11]
15. ↑ Ragan, Steve. (2016). “412 Million FriendFinder Accounts Exposed by Hackers.” In csoonline.com. Retrieved on April 29, 2019.
16. ↑ Clements, N. (2018, March 06). Equifax's Enormous Data Breach Just Got Even Bigger. Retrieved from [12]
17. ↑ Gressin, S. (2018, March 13). The Equifax Data Breach: What to Do. Retrieved from https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do
18. ↑ ^{a b} Adams, R. L. (2017, May 5). Identity theft protection: 10 ways to secure your personal data. Retrieved April 19, 2018, from Forbes website: https://www.forbes.com/sites/robertadams/2017/05/05/identity-theft-protection-10-ways-to-secure-your-personal-data/#55cc87f62fde
19. ↑ https://www.thesslstore.com/blog/equifaxs-cso-music-major-college/
20. ↑ http://www.chicagonow.com/listing-beyond-forty/2017/09/equifax-cso-music-degree/
21. ↑ https://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15
22. ↑ David Thacker. (2018, December 18). Expediting changes to Google+. Retrieved from https://www.blog.google/technology/safety-security/expediting-changes-google-plus/
23. ↑ Jordan Valinsky. (2018, November 30). Marriott reveals data breach of 500 million Starwood guests. Retrieved from https://www.cnn.com/2018/11/30/tech/marriott-hotels-hacked/index.html
24. ↑ Guy Rosen. (2018, September 28). Security Update. Retrieved from https://newsroom.fb.com/news/2018/09/security-update/
25. ↑ Willett, M. (2021). Lessons of the Solarwinds hack. Survival, 63(2), 7–26. https://doi.org/10.1080/00396338.2021.1906001
26. ↑ [13] Wolff, E. D., Growley, K. M., Lerner, M. O., Welling, M. B., Gruden, M. G., & Canter, J. (2021, March 21). Navigating the solarwinds supply chain attack. Crowell. Retrieved April 23, 2022, from https://m.crowell.com/files/20210325-Navigating-the-SolarWinds-Supply-Chain-Attack%20.pdf]
27. ↑ Ronin. (2022, March 29). Community alert: Ronin validators compromised. Community Alert: Ronin Validators Compromised. Retrieved April 23, 2022, from https://roninblockchain.substack.com/p/community-alert-ronin-validators?s=w
28. ↑ Toti, B. (2022, April 23). US sanctions more addresses linked to Axie Infinity Hack. Coin Journal. Retrieved April 23, 2022, from https://coinjournal.net/news/us-treasury-links-three-more-ethereum-wallets-to-the-625m-ronin-hack/
29. ↑ Richards, Neil M. and King, Jonathan, Big Data Ethics (May 19, 2014). Wake Forest Law Review, 2014, Available at SSRN: https://ssrn.com/abstract=2384174
30. ↑ Keach, S. (2020, January 17). Facebook probably isn't spying on You through your microphone. The Sun. Retrieved April 23, 2022, from https://www.thesun.co.uk/tech/7497249/facebook-listening-to-you-microphone-ads/
31. ↑ Hormozi, A. M. (2005). Cookies and privacy. EDPACS, 32(9), 1–13. https://doi.org/10.1201/1079/45030.32.9.20050301/86855.1
32. ↑ Right to be informed. General Data Protection Regulation (GDPR). (2020, July 14). Retrieved April 23, 2022, from https://gdpr-info.eu/issues/right-to-be-informed/
33. ↑ Preimesberger, C. (2015). Why Super Bowl Is a Gold Mine for Mobile-Device Hackers. Eweek, 1.
34. ↑ Augusta Free Press. (2022, April 21). 10 safety rules that you should follow to protect yourself online. Retrieved April 24, 2022, from https://augustafreepress.com/10-safety-rules-that-you-should-follow-to-protect-yourself-online/
35. ↑ Johnson, M. (2021, January 29). Will a VPN Protect Me From a Data Breach? Latest Hacking News. Retrieved April 24, 2022, from https://latesthackingnews.com/2021/01/29/will-a-vpn-protect-me-from-a-data-breach/
36. ↑ Hendren, L. (2022, April 15). Data breaches are on track to hit another record. Here’s how to protect yourself. WTSP. Retrieved April 24, 2022, from https://www.wtsp.com/article/tech/how-to-protect-myself-data-breach/67-ae61504a-2bea-49ad-8bea-ade76a2e27ff
37. ↑ Jensen, K., Tazi, F., & Das, S. (2021). Multi-Factor Authentication Application Assessment: Risk Assessment of Expert-Recommended MFA Mobile Applications. Proceeding of the Who Are You.
38. ↑ Mtaho, A. B. (2015). Improving Mobile Money Security with Two-Factor Authentication. International Journal of Computer Applications, 109(7), 9–15. https://doi.org/10.5120/19198-0826
39. ↑ Mediati, N. (2011). KEEP YOUR PC FROM BEING HACKED. Pcworld, 29(9), 63.
40. ↑ Hong, J., & Linden, G. (2012). Protecting against data breaches; living with mistakes. Communications of the ACM, 55(6), 10–11. https://doi.org/10.1145/2184319.2184322