By Gerard Dunphy, Senior Director, Detection, Response and Recovery, ISA Cybersecurity
Gerard has led incident response teams on some of Canada’s largest breaches, giving him a frontline perspective that helps clients prepare effective defense-in-depth and breach readiness strategies.
Gerard brings over 25 years of experience in cybersecurity, with extensive technical expertise, strong business acumen, and proven leadership skills. His technical strengths include security operations, network and endpoint security, SIEM management, threat hunting, threat intelligence, email security, firewall management, vulnerability management, incident/breach response and digital forensics.
Gerard is also a strong advocate for cybersecurity awareness and education programs. He has developed and presented dozens of security awareness sessions and programs to a wide array of audiences, covering topics such as ransomware, social engineering, business email compromise, insider threats, procurement and financial fraud, and general security awareness.
Before we turn the page on 2024, we must look back at cyber attack trends that took place to ensure a more secure 2025. Unfortunately, given the prevalence and severity of the incidents we saw, many organizations continue to underestimate the gravity of cyber risks. In some instances, it was as if their “risk calculators” were broken, which led to some dire consequences in the face of ever-evolving threats.
Most notable, albeit not surprising, is that many of the breaches we saw over the past year could have been prevented, or at least significantly mitigated, by following best practices.
To help organizations strengthen their defenses, I’ve outlined the five most common causes of breaches I saw in 2024 and the key strategies your business can implement to avoid becoming the next victim.
1. Social Engineering
Social engineering involving email remains a leading cause of cybersecurity breaches. Several of the data breaches my team handled were the result of an unintentional or unwitting act by a staff member. The 2024 Verizon DBIR reflects this trend as well, reporting that over two-thirds (68%) of the incidents they studied involved social engineering.
We saw many incidents that involved clicking on a malicious link in a phishing email or sending sensitive information to the wrong recipients. Several of these cases involved the use of spoofed email addresses, wherein a seemingly authentic message came from a phony domain (the names were similar, but the fake site had a “1” instead of an “l” in the domain name). The simple oversight of failing to check for a legitimate email address led to significant financial fraud.
Cyber criminals look to exploit your hectic schedule to carry out successful social engineering attacks. If people are in a hurry, they may not recognize a realistic AI-generated phishing email until it’s too late. Similarly, sending off a quick email without first confirming the recipient’s email address or ensuring the attachment is correct can quickly result in a costly data disclosure.
Recommendations: Security awareness training for every member of your organization is a critical step in strengthening your “first line of defense”, which is your people. Empowering your staff with the knowledge to quickly spot and report a phishing email can significantly help reduce the risk of a cyber breach. User education is just the first part of the story.
2. Delayed Software Updates and Patch Management
A significant number of breaches we saw in 2024 were caused by failing to promptly apply critical security updates. Delays in applying patches left key systems vulnerable to dangerous, known exploits. We found examples of obsolete or unsupported software, unpatched versions of operating systems, and unsupported perimeter defense hardware such as firewalls and VPNs.
Hackers searching for their next victims exploit vulnerabilities like these to quickly gain access to – and across – your network. It can be likened to leaving your office unattended with a broken lock on the door: it’s an open invitation to intruders to take advantage of your vulnerability for their own purposes. Companies that are failing to implement reasonable security procedures and practices are also increasingly facing fines and lawsuits as part of the fallout of a breach.
Recommendations: Every organization should have a patch management strategy that addresses vulnerability exposure across the entire digital landscape. This includes IT, OT and IoT – both on premises and in the cloud. Obsolete hardware or software should also be replaced as soon as possible. Limit access to any obsolete system that must remain on the network for any length of time and implement additional monitoring on those systems to detect early signs of intrusion.
To confirm that other systems aren’t lagging behind current patch/version levels, we also recommend vulnerability assessments and penetration testing to identify potential risk areas before the threat actors can take advantage of them. We can assist your organization in implementing vulnerability management programs to keep on top of the risks presented by newly-discovered vulnerabilities and systems that are “sunsetting” and are no longer supported.
3. Logging
Another common issue my team ran into was the lack of available logs to conduct investigations. In some cases, the lack of logs was due to the lack of appropriate foundational security tools like EDR and SIEM. In other cases, where security solutions were in place, the systems were not configured to adequately retain and secure logs.
While logging may seem mundane or an added cost, it’s extremely important to understand that, without logs, you have no evidence to tell you when or how the breach occurred, how long threat actors were in your network, or what actions they took during the breach.
Recommendations: SIEM solutions can secure immutable copies of system logs, and identify patterns and behaviours that sound the alarm in the event of an attempted breach. This can give your team more time to limit or even prevent damage. In the event of a successful breach, having reliable logs available allows the investigators to assess the scope of the breach, accelerate efforts to identify and eradicate the threat, and conduct a more extensive root cause analysis to prevent future breaches.
We strongly recommend that our customers enable appropriate levels of logging for their key systems, and ingest those logs into a SIEM solution. Centralizing and locking down those logs could provide crucial information in the event of a cyber attack.
4. Weak Authentication Practices
My team continues to encounter organizations with inadequate or poorly-deployed multi-factor authentication (MFA). In some cases, MFA was not deployed at all; in others, MFA had only been introduced to a segment of the user population – leaving some admin-level access unprotected. This led to a data breach when a third party’s credentials were stolen and used to gain unauthorized access. This data breach likely could have been prevented had MFA been in place.
Recommendations: Multi-factor authentication is strongly recommended for any organization. MFA solutions are straightforward and affordable to implement: our Threat Protection team can build out a risk-free proof of concept to illustrate how easy it is to get started.
5. Incident Response Planning
My last observation pulls the other themes together. We found that organizations that experienced an incident often had outdated or incomplete incident response plans available. While we work with our incident response retainer customers to document and prepare robust and resilient incident response plans, we also helped many organizations that approached us for the first time in a crisis. In every case, we found that incident management was more efficient when teams had a clear, well-tested incident response plan (IRP) in place.
Recommendations: An incident response plan is vital to a successful outcome of an incident. IRPs are designed to set expectations and provide guidance to leadership and staff – whether those individuals are managing an incident or playing a role in helping resolve one. A well-constructed IRP will reflect the individual needs of the organization, including any compliance obligations they may have. An IRP should also be tested at least annually to help ensure leaders and responding team members become more familiar with what to do if an incident occurs. Testing is typically done through the use of tabletop exercises.
My team has assisted with incident response planning, IR playbook development, tabletop exercises, and other readiness programs that put customers in a better position to stave off the next cyber threat – because there’s always a “next one” around the corner.
Looking Forward to a Resilient 2025
I am proud of my team for helping dozens of customers through cyber incidents of all sizes over the past year. Cyber criminals are becoming more sophisticated, and this trend will continue in the era of artificial intelligence (AI). But there is a lot we can do to protect ourselves from these growing threats and prevent a breach, or at least position ourselves to quickly recover from one with little or no damage.
Organizations should take the time to reassess their approach to cybersecurity. Consider these five trends as low-hanging fruit; things that you can implement that can significantly improve your cybersecurity posture. Deploy MFA, prioritize education, keep systems patched, implement a logging strategy, and adhere to industry best practices. By placing the right priority on fundamental security measures, you can be better prepared for the inevitable.
ISA Cybersecurity is introducing even more innovative incident response services in 2025: contact us anytime to learn more – and have a happy and secure new year!
