IT Security

IT security, which is short for information technology security, is the practice of protecting an organization’s IT assets—computer systems, networks, digital devices, data—from unauthorized access, data breaches, cyberattacks and other malicious activity.

What is a data breach?

A data breach is any security incident in which unauthorized parties access sensitive or confidential information, including personal data (Social Security numbers, bank account numbers, healthcare data) and corporate data (customer records, intellectual property, financial information).

The terms "data breach" and "breach" are often used interchangeably with "cyberattack." However, not all cyberattacks are data breaches. Data breaches include only those security breaches where someone gains unauthorized access to data.  service (DDoS) attack that overwhelms a website is not a data breach. A ransomware attack that locks up a company's customer data and threatens to leak it unless the company pays a ransom is a data breach. The physical theft of hard drives, USB flash drives or even paper files containing sensitive information is also a data breach.

Why data breaches happen?

Data breaches are caused by:

• Innocent mistakes, such as an employee emailing confidential information to the wrong person.
• Malicious insiders, including angry or laid-off employees who want to hurt the company and greedy employees who want to profit off the company's data.
• Hackers, malicious outsiders who commit intentional cybercrimes to steal data. Hackers can act as lone operators or part of an organized ring. 

Financial gain is the primary motivation for most malicious data breaches. Hackers steal credit card numbers, bank accounts or other financial information to directly drain funds from people and companies. Some attackers steal personally identifiable information (PII)—such as Social Security numbers and phone numbers—for identity theft, taking out loans and opening credit cards in their victims' names. Cybercriminals can also sell stolen PII and account information on the dark web, where they can fetch as much as USD 500 for bank login credentials.

A data breach can also be the first phase of a larger attack. For example, hackers might steal the email account passwords of corporate executives and use those accounts to conduct business email compromise scams.  Data breaches might have objectives other than personal enrichment. Unscrupulous organizations might steal trade secrets from competitors, and nation-state actors might breach government systems to steal information about sensitive political dealings, military operations or national infrastructure.

Some breaches are purely destructive, with hackers accessing sensitive data to destroy or deface it. According to the Cost of a Data Breach report, such destructive attacks account for 25% of malicious breaches. These attacks are often the work of nation-state actors or hacktivist groups seeking to damage an organization.

How data breaches happen?

Most intentional data breaches caused by internal or external  threat actors follow the same basic pattern:

1. Research: The threat actor identifies a target and looks for weaknesses that they can use to break into the target's system. These weaknesses can be technical, such as inadequate security controls, or human, such as employees susceptible to social engineering. 
2. Attack: The threat actor starts an attack on the target by using their chosen method. The attacker might send a spear-phishing email, directly exploit vulnerabilities in the system, use stolen login credentials to take over an account or leverage other common data breach attack vectors.
3. Compromise data: Inside the system, the attacker locates the data they want and does what they came to do. Common tactics include exfiltrating data for sale or use, destroying the data or locking up data to demand a ransom. 

Common data breach attack vectors

Malicious actors can use various attack vectors or methods to carry out data breaches. Some of the most common include:

• Stolen or compromised credentials According to the Cost of a Data Breach 2023 report, stolen or compromised credentials are the second most common initial attack vector, accounting for 15% of data breaches. Hackers can compromise credentials by using brute force attacks to crack passwords, buying stolen credentials off the dark web or tricking employees into revealing their passwords through social engineering attacks.
• Social engineering attacks Social engineering is the act of psychologically manipulating people into unwittingly compromising their own information security.  Phishing, the most common type of social engineering attack, is also the most common data breach attack vector, accounting for 16% of breaches. Phishing scams use fraudulent emails, text messages, social media content or websites to trick users into sharing credentials or downloading malware.
• Ransomware Ransomware, a type of malware that holds data hostage until a victim pays a ransom, is involved in 24% of malicious breaches according to the Cost of a Data Breach report. These breaches also tend to be more expensive, costing an average of USD 5.13 million. This figure does not include ransom payments, which can run to tens of millions of dollars.
• System vulnerabilities Cybercriminals can gain access to a target network by exploiting weaknesses in websites, operating systems, endpoints, APIs and common software like Microsoft Office or other IT assets.  Threat actors don't need to hit their targets directly. In supply chain attacks, hackers exploit vulnerabilities in the networks of a company's service providers and vendors to steal its data.   When hackers locate a vulnerability, they often use it to plant malware in the network. Spyware, which records a victim's keystrokes and other sensitive data and sends it back to a server that the hackers control, is a common type of malware used in data breaches.
• SQL injection Another method of directly breaching target systems is SQL injection, which takes advantage of weaknesses in the Structured Query Language (SQL) databases of unsecured websites. Hackers enter malicious code into user-facing fields, such as search bars and login windows. This code causes the database to divulge private data like credit card numbers or customers' personal details.
• Human error and IT failures Threat actors can take advantage of employees' mistakes to gain access to confidential information.  For example, misconfigured or outdated systems can let unauthorized parties access data they shouldn't be able to. Employees can expose data by storing it in unsecured locations, misplacing devices with sensitive information saved on their hard drives or mistakenly granting network users excessive access privileges. Cybercriminals can use IT failures, such as temporary system outages, to sneak into sensitive databases. According to the Cost of a Data Breach report, cloud misconfigurations account for 11% of breaches. Known, unpatched vulnerabilities account for 6% of breaches. Accidental data loss, including lost or stolen devices, accounts for another 6%. Altogether, these errors are behind nearly a quarter of all breaches. 
• Physical security compromises Threat actors may break into company offices to steal employees' devices, paper documents and physical hard drives containing sensitive data. Attackers can also place skimming devices on physical credit and debit card readers to collect payment card information.

The scope of IT security is broad and often involves a mix of technologies and security solutions. These work together to address vulnerabilities in digital devices, computer networks, servers, databases and software applications. The most commonly cited examples of IT security include digital security disciplines such as endpoint security, cloud security, network security and application security. But IT security also includes physical security measures—for example, locks, ID cards, surveillance cameras—required to protect buildings and devices that house data and IT assets.

IT security is often confused with cybersecurity, a narrower discipline that is technically a subset of IT security. Cybersecurity focuses primarily on protecting organizations from digital attacks, like ransomware, malware and phishing scams. Whereas IT security services an organization’s entire technical infrastructure, including hardware systems, software applications and endpoints, like laptops and mobile devices. IT security also protects the company network and its various components, like physical and cloud-based data centers

IT security threats

Every organization is susceptible to cyberthreats from inside and outside their organizations. These threats can be intentional, as with cybercriminals, or unintentional, as with employees or contractors who accidentally click malicious links or download malware. IT security aims to address this wide range of security risks and account for all types of threat actors and their varying motivations, tactics and skill levels.

What is a threat actor?

Threat actors, also known as cyberthreat actors or malicious actors, are individuals or groups that intentionally cause harm to digital devices or systems. Threat actors exploit vulnerabilities in computer systems, networks and software to perpetuate various cyberattacks, including phishing, ransomware and malware attacks.

Today, there are many types of threat actors, all with varying attributes, motivations, skill levels and tactics. Some of the most common types of threat actors include hacktivists, nation-state actors, cybercriminals, thrill seekers, insider threat actors and cyberterrorists. As the frequency and severity of cybercrimes continue to grow, understanding these different types of threat actors is increasingly critical for improving individual and organizational cybersecurity.

Types of threat actors

The term threat actor is broad and relatively all-encompassing, extending to any person or group that poses a threat to cybersecurity. Threat actors are often categorized into different types based on their motivation and to a lesser degree, their level of sophistication.

• Cybercriminals These individuals or groups commit cybercrimes mostly for financial gain. Common crimes that are committed by cybercriminals include ransomware attacks and phishing scams that trick people into making money transfers or divulging credit card information, login credentials, intellectual property or other private or sensitive information.
• Nation-state actors Nation states and governments frequently fund threat actors with the goal of stealing sensitive data, gathering confidential information or disrupting another government’s critical infrastructure. These malicious activities often include espionage or cyberwarfare and tend to be highly funded, making the threats complex and challenging to detect.
• Hacktivists These threat actors use hacking techniques to promote political or social agendas, such as spreading free speech or uncovering human rights violations. Hacktivists believe that they are affecting positive social change and feel justified in targeting individuals, organizations or government agencies to expose secrets or other sensitive information. A well-known example of a hacktivist group is Anonymous, an international hacking collective that claims to advocate for freedom of speech on the internet.
• Thrill seekers Thrill seekers are just what they sound like: they attack computer and information systems primarily for fun. Some want to see how much sensitive information or data they can steal; others want to use hacking to better understand how networks and computer systems work. One class of thrill seekers, called script kiddies, lack advanced technical skills, but use pre-existing tools and techniques to attack vulnerable systems, primarily for amusement or personal satisfaction. Though they don't always seek to cause harm, thrill seekers can still cause unintended damage by interfering with a network's cybersecurity and opening the door to future cyberattacks.
• Insider threats Unlike most other actor types, insider threat actors do not always have malicious intent. Some hurt their companies through human error, such as by unwittingly installing malware or losing a company-issued device that a cybercriminal finds and uses to access the network. But malicious insiders do exist. For example, the disgruntled employee who abuses access privileges to steal data for monetary gain or inflicts damage to data or applications in retaliation for being passed over for promotion.
• Cyberterrorists Cyberterrorists start politically or ideologically motivated cyberattacks that threaten or result in violence. Some cyberterrorists are nation-state actors; others are actors on their own or on behalf of a nongovernment group.

Threat actor targets

Threat actors often target large organizations; because they have more money and more sensitive data, they offer the largest potential payoff. However, in recent years, small and medium-sized businesses (SMBs) have also become frequent targets of threat actors due to their relatively weaker security systems. In fact, the FBI recently cited concern over the rising rates of cybercrimes that are committed against small businesses, sharing that in 2021 alone, small businesses lost USD 6.9 billion to cyberattacks, a 64 percent increase from the previous year (link resides outside ibm.com). Similarly, threat actors increasingly target individuals and households for smaller sums. For example, they might break into home networks and computer systems to steal personal identity information, passwords and other potentially valuable and sensitive data. In fact, current estimates suggest that one in three American households with computers are infected with malware (link resides outside ibm.com). Threat actors are not discriminating. Though they tend to go for the most rewarding or meaningful targets, they’ll also take advantage of any cybersecurity weakness, no matter where they find it, making the threat landscape increasingly costly and complex.

Threat actor tactics

Threat actors deploy a mixture of tactics when running a cyberattack, relying more heavily on some than others, depending on their primary motivation, resources and intended target.

• Malware Malware is malicious software that damages or disables computers. Malware is often spread through email attachments, infected websites or compromised software and can help threat actors steal data, take over computer systems and attack other computers. Types of malware include viruses, worms and Trojan horse viruses, which download onto computers disguised as legitimate programs.
• Ransomware Ransomware is a type of malware that locks up the victim's data or device and threatens to keep it locked up—or worse—unless the victim pays a ransom to the attacker. Today most ransomware attacks are double-extortion attacks that also threaten to steal the victim's data and sell it or leak it online. According to the IBM Security® X-Force® Threat Intelligence Index 2023, ransomware attacks represented 17 percent of all cyberattacks in 2022. Big game hunting (BGH) attacks are massive and coordinated ransomware campaigns that target large organizations, including governments, major enterprises, and critical infrastructure providers that have lots to lose from an outage and will be more likely to pay a large ransom.
• Phishing Phishing attacks use email, text messages, voice messages or fake websites to deceive users into sharing sensitive data, downloading malware or exposing themselves to cybercrime. Types of phishing include:
  • Spear phishing, a phishing attack that targets a specific individual or group of individuals with messages that appear to come from legitimate senders who have a relationship to the target.
  • Business email compromise, a spear phishing attack that sends the victim a fraudulent email from a co-workers or colleague's impersonated or hijacked email account.
  • Whale phishing, a spear phishing attack aimed specifically at high-level executives or corporate officers.
• Social engineering Phishing is one form of social engineering, a class of attacks and tactics that exploit feelings of fear or urgency to manipulate people into making other mistakes that compromise their personal or organizational assets or security. Social engineering can be as simple as leaving a malware-infected USB drive where someone will find it (because "hey, free USB drive!"), or as complex as spending months cultivating a long-distance romantic relationship with the victim in order to bilk them out of plane fare so they can "finally meet". Because social engineering exploits human weakness rather than technical vulnerabilities, it is sometimes called "human hacking".
• Denial of service attacks This type of cyberattack works by flooding a network or server with traffic, making it unavailable to users. A distributed denial-of-service (DDoS) attack marshalls a distributed network of computers to send the malicious traffic, creating an attack that can overwhelm the target faster and be more difficult to detect, prevent or mitigate.
• Advanced persistent threats Advanced persistent threats (APTs) are sophisticated cyberattacks that span months or years rather than hours or days. APTs enable threat actors to operate undetected in the victim's network, infiltrating computer systems, conducting espionage and reconnaissance, escalating privileges and permissions (called lateral movement) and stealing sensitive data. Because they can be incredibly difficult to detect and relatively expensive to run, APTs are typically started by nation-state actors or other well-funded threat actors.
• Backdoor attacks A backdoor attack exploits an opening in an operating system, application or computer system that is not protected by an organization's cybersecurity measures. Sometimes, the backdoor is created by the software developer or hardware manufacturer to enable upgrades, bug fixes or (ironically) security patches; other times, threat actors create backdoors of their own using malware or by hacking the system. Backdoors allow threat actors to enter and exit computer systems undetected.

Threat actors versus cybercriminals versus hackers

The terms threat actor, hacker and cybercriminal are often used interchangeably, especially in Hollywood and popular culture. But there are subtle differences in the meanings of each and their relationship to each other.

• Not all threat actors or cybercriminals are hackers. By definition, a hacker is someone with the technical skills to compromise a network or computer system. But some threat actors or cybercriminals don’t do anything more technical than leave an infected USB drive for someone to find and use, or send an email with a malware attached.
• Not all hackers are threat actors or cybercriminals. For example, some hackers, called ethical hackers, essentially impersonate cybercriminals to help organizations and government agencies test their computer systems for vulnerability to cyberthreats.
• Certain types of threat actors aren’t cybercriminals by definition or intent, but are in practice. For example, a thrill seeker who is "just having fun" by shutting down a town’s electrical grid for a few minutes, or a hacktivist who exfiltrates and publishes confidential government information in the name of a noble cause may also be committing a cybercrime, whether they intend to or believe that they are.