20+ Vulnerability Types 2019
Any weakness that can be exploited to mount an attack on a network, system or service is termed a vulnerability.
Whilst we may be unable to take preventative action to ward off threats and hazards, vulnerabilities are things that we can often take steps to reduce or even eliminate altogether. This blog explores 20+ Vulnerabilities Types.
Some vulnerabilities reflect the nature of the asset, for example, the ability of data on magnetic media to be overwritten or deleted; whilst others result from some accidental or deliberate action or inaction, for example, failure to undertake regular backups.
The vulnerabilities themselves, and indeed the controls we may use to treat them, come in many shapes and sizes. Most of them arise from failures to have or to adhere to policies, processes, and procedures.
Significantly less frequent, but also potentially serious, are the technical vulnerabilities. People-related vulnerabilities are also a major area of concern, as are environmental vulnerabilities.
Policy, process and procedure vulnerabilities
Whilst many organizations have robust policies and procedures in place – either to ensure that the right things happen or to ensure that the wrong things don’t happen – they are occasionally either overlooked or simply given lip service. This section highlights some of the key policies and procedures that organizations should undertake as a minimum.
Failure to have an overall information security policy
The failure of an organization to put in place an overall information security policy comes right at the top of the list of vulnerabilities. Security policies do not need to be lengthy or complex but should state clearly and simply what formalities the organization requires to be in place, and makes it clear that people must adhere to them.
The lack of, or poorly written, access control policies
A formal access control policy or one that is inappropriate for the needs of the organization is the next port of call, and the lack of suitable policy or one that is not properly communicated to staff will cause severe repercussions.
Access to systems, applications and information should only ever be given on the basis of the user’s business need, and should always be approved by their line manager.
Failure to change user access rights when changing a role or leaving the organization
Another vulnerability connected with this is that of poor access control for users changing roles or leaving the organization. Their access to systems, applications, and the information is frequently overlooked when an individual changes role.
A method of combating this is that of role-based authentication, in which the user gains access by means of both their job function and their identity, rather than by their identity alone.
On leaving the organization, the user’s access rights should be immediately revoked so that they can no longer access the organization’s network and systems.
Inadequate user password management
One of the most frequent vulnerabilities is that of poor password management. In the past, this included the failure to enforce regular password changes together with a test of password strength. However, NIST has recently deemed that frequent changes are unhelpful to users and that strength checkers may not be sufficiently robust.
Instead, new guidelines are being developed that rate password length and hashing method as being more user-friendly by placing the burden on the verifier rather than the user.
The continued use of default system accounts and passwords
An extremely common vulnerability is the continued use of default factory-set accounts and passwords for new and upgraded systems. Many individuals in the hacking world are aware of these and circulate them around the community.
The failure to change or hide wireless network identities or service set identifiers (SSIDs) will allow an attacker to pinpoint target networks, and if the default administrator passwords have not been changed, or the security level enhanced, these provide a highly attractive entry point into an organization’s network.
The continued use of inbuilt system accounts and passwords
Worse still than the continued use of default settings, there may sometimes be a tendency to allow one system to connect to another by embedding user IDs and passwords within applications. This is a highly dubious practice since a change in one system or another can easily result in application failures.
The lack of security of mobile devices
Many organizations fail to secure mobile devices, whether these are supplied by the organization, or brought in by the users themselves (bring your own device; BYOD). Unless properly configured, mobile devices generally are relatively insecure and easily lost, mislaid or stolen, making both the device and the network to which it can connect equally vulnerable.
The lack of network segregation
Network segregation is commonplace in larger organizations, in which different networks are constructed according to the business requirement, and particularly according to their confidentiality, integrity and availability requirements.
For example, an organization with a significant research capability might well place this on a different network than that for finance or general administration use.
Failure to restrict access to networks according to use is a very common vulnerability and may allow people to reach resources to which they have no entitlement.
Failure to impose a clear desk and clear screen policy
The lack of a clear desk and clear screen policy again is a very common vulnerability. Some organizations make it a disciplinary offense for an employee to leave confidential materials in plain view or for failing to log out of or secure their workstation when they are away from their desk.
Restriction of administration rights usage
Unwarranted access to administration accounts is a frequent vulnerability. Only trained and authorized personnel should have administration rights and that should include using computers as well as central systems.
Also, administrators should have two accounts, one with the administrator rights for undertaking such work and a second ‘standard’ user account for day-to-day activities such as email, internet access, and office work.
The use of untested software
It is good practice for organizations to test new or updated software, including the testing of patches before they go into production or general use environment.
The untested software may not only cause operational issues if it fails to work as expected but in cases where it is used in conjunction with other applications, it can have a knock-on effect resulting in an embarrassing chain of consequences.
Failure to restrict the use of system utilities
Although a relatively minor vulnerability, the failure to restrict the use of system utilities such as a terminal console application – normally by setting access privileges within the user’s profile – can result in users carrying out activities that are detrimental to their own device or to other systems, applications or information within the organization.
Separation of duties
In some situations, it is possible for staff to allow attackers to take advantage of access to information that they might not normally have. This ties back into access control, in which access to information might benefit from being role dependent.
Staff should not be placed in a position, for example, where they can not only raise requisitions for orders but also authorize them for purchase.
Inadequate network monitoring and management including intrusion detection
Inadequate network management, including the monitoring of hacking and intrusion attacks, will mean that successful attacks and intrusions are overlooked, and little or nothing is known about their occurrence until much later.
The use of unprotected public networks
Many attacks are caused by unprotected public network connections, which allow an intruder to gain easy access to an organization’s network, including the use of shared computers in public environments such as internet cafés and the use of unauthorized and possibly unsecured wireless access points (WAPs).
The uncontrolled use of user-owned wireless access points
Occasionally, users of an organization’s networks will discover ways of subverting the organization’s security procedures and will attempt to connect their devices to parts of the network to which they have no entitlement. One way in which this is achieved is by connecting in a ‘rogue’ wireless access point to which they have unrestricted access.
One of the main issues with this is that the security settings of such wireless access points might not be as strict as those of the organization itself, and whilst the users may be able to access the network, so might an attacker.
Poor protection against malware and failure to keep protection up to date
Malware protection software, especially antivirus software that is not kept up to date will make an attacker’s job much easier. Attackers will take advantage of any means of access available to them, and often are aware of vulnerabilities in applications and operating systems long before a fix is available. Delays in updating these applications leave an organization wide open to attack.
The lack of a patching and updating regime
In the same way as the regular updating of malware protection software, the failure to install manufacturers’ software patches will leave operating systems and application software open to attack.
Inadequate and untested backup and restoral procedures
Most organizations nowadays carry out regular backups of user data. However, it is far rarer for them to verify that these backups are actually fit for purpose and that information can actually be successfully restored from the backup media. This again presents a serious vulnerability, since backup media that does not fulfill its objective is just as bad as having no backup regime at all.
Improper disposal of ‘end of life’ storage media
Once storage media has reached its end of life, it should be properly disposed of or wiped before reuse. There are numerous stories in the press regarding people who have bought second -hand computers only to find that the hard drives still contain sensitive or personal information that had not been securely removed prior to the sale.
Some organizations will not allow magnetic media of any kind to be resold and insist that disposal is irreversible.
There are examples of computers that have been bought with the original user’s data still intact, as well as computers left on trains without password protection.
The lack of a robust ‘bring your own device’ (BYOD) policies
The concept that an organization’s staff can bring their own device has become very popular since it can reduce the IT hardware costs to an organization.
However, the lack of appropriate policies for its use and the lack of enforcement can bring about serious breaches of security, especially in situations where other members of a user’s family have access to the same device.
In 2010, one organization was badly affected by a virus that was brought in on a user’s own personal computer. The machine had been used over a weekend by the user’s teenage son, who had unwittingly accessed a website that contained malware.
The resulting infection spread throughout a large part of the organization’s network and took its entire IT department several days to clear up. The user (a senior manager) was cautioned, but unfortunately, the same event happened the following week, and the user was then banned from bringing in his own machine.
Inadequate change management procedures
Inadequate change control can lead to software and patches being rolled out to the user population, new systems and services and network connections being made and redundant systems removed without full consideration (and risk assessment) of the consequences.
In smaller networks, change control can easily be vested in one or two people on a part-time basis, but as an organization’s network grows, it may be necessary to employ a full-time team with representatives from multiple business units.
The lack of audit trails, non-repudiation of transactions and email messages
In some sectors, it is vital that online transactions and email correspondence are subject to detailed logging and non-repudiation. In many applications, this audit trail is built into the operating software, and in the event of a dispute regarding ‘who did what’, or ‘who said what’, those organizations that are able to produce evidence in their favor will greatly reduce their risk profile.
The lack of segregation of test and production systems
Those organizations that employ large-scale systems and application testing prior to roll out are open to problems if they fail to separate test and operational facilities, since users may inadvertently connect to a test system resulting in failed transactions.
It is not only good practice for organizations to include acceptable use statements in contracts of employment, but it should be mandated, whether for hiring permanent staff or taking on external contractors.
So that staff members and contractors have no excuse for not knowing that they may not visit inappropriate websites, send or receive inappropriate emails or post inappropriate material on social networks or web blogs.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]
The uncontrolled copying of business information
Operational management should limit the uncontrolled copying of information by users who have no need to access it – again, this is also largely an access control issue, but the identification of such activity may fall into a different management area. This includes the use of USB memory sticks and shared network drives.
Technical vulnerabilities are perhaps less obvious to spot but are frequently highly dangerous. These could also be considered to be failures of policy, process or procedure, but are sufficiently significant to warrant their own section.
Poor coding practice
Poor coding practice is potentially one of the most serious issues around today. The Internet of Things has brought us an increasing number of internet-connected products such as baby monitors, CCTV systems, home entertainment systems, and environmental control systems.
Many of these have been shown to have little or no security within the application software that runs within the IoT device itself, and frequently in any application that is used to control it.
Such failings will undoubtedly have drastic consequences, since an attacker can not only attack and take control of the device itself, but may well use it as a stepping stone to other devices on the network.
Even if a vulnerability is discovered and hopefully fixed, the chances of it being possible to roll out the corrected code to the entire user base are not great, especially if a device has already been compromised.
In January 2017, it was announced at the Consumer Electronics Show (CES) that a number of manufacturers are developing routers with inbuilt security software designed to protect IoT devices that have inadequate security.
This might be a possible solution to the problem, since consumers will only have to place their trust in one system to protect all their IoT devices and applications, but it will almost certainly encourage laziness from the manufacturers of IoT devices and applications as they will feel there is no point in trying to make their product secure.
Indeed, poor coding practice is not limited to the IoT environment – it affects operating systems and applications as well, and combined with backdoors that allow a programmer to test code more easily, these types of vulnerability are amongst the oldest in the blog!
Poor specification of requirements
Poor coding practice often originates from the poor specification of requirements for the product or service. It is a long-held view that it is always better to design security into a product from the beginning rather than trying to patch it in later on, but many organizations still persist in this bad practice.
Poor quality assurance and testing
Hand in hand with poor coding practice runs poor quality assurance and testing. It is easy to imagine that a programmer developing the software for an IoT device might well also be responsible for its functionality testing, in which case (given the lack of a security requirement in the product’s specification), the problem will be exacerbated.
There are numerous people-related vulnerabilities, some of which arise from the lack of training and awareness provided by the organization, whilst others arise from people’s inability to think and act logically or to follow instructions.
Social engineering may best be defined as an act that influences a person to take an action that may not be in their or their organization’s best interest. This includes persuading them to divulge personal or confidential information.
People are frequently susceptible to social engineering or to coercion when an attacker who may have carried out research on the individual is able to gain their confidence through flattery or by offering some inducement that the individual is likely to accept.
Social engineering is a skill that many cyber-attackers work hard to develop since assistance from inside an organization can save them a great deal of time and effort. One example of social engineering is the use of so-called ‘dark patterns’, in which the user is lured into carrying out an action they had not intended.
Lack of awareness
An extremely effective technique for delivering malware is to provide people with free memory sticks infected with malware. Not only can this be achieved by handing them out at conferences and exhibitions, but also by leaving them on the ground near a target user’s house or place of work.
Thinking they’re getting something for nothing, people will happily plug these into their computers without contemplating the possible consequences.
Failure to comply with company policies and good practice
This is one of the most common forms of vulnerability. Computer users, especially in a corporate environment, find that they are constrained by the organization’s policies, processes, and procedures, and they will try to find ways of defeating or working around them.
Sometimes this is due to sheer laziness on their part because doing something properly requires effort; at other times they simply don’t see the point or disagree with the requirement.
Typical amongst this type of vulnerability is people writing down key passwords, especially passwords for root access to systems, and sharing passwords with colleagues who either have forgotten their own or more frequently should not have access in the first place.
Occasionally, users will choose a simple password (for example, 1234) when using an application or service. Good password management techniques should prevent this, but occasionally users will still find ways of circumventing this. Other vulnerabilities in this area include passwords that can be easily guessed or cracked, such as one’s mother’s maiden name.
Poor response to training and awareness
It is important that this is not a one-off event, but an ongoing process, so that users are regularly updated on security matters they need to be aware of, and that they continue to be trained in the correct way of doing things.
However, some aspects of user behavior will continue to require line management action when they fail to comply, and some organizations penalize staff who repeatedly ignore their training.
Physical and environmental vulnerabilities
There are some areas in which physical and environmental vulnerabilities will have an effect, and the impact of these can be dramatic.
Building and equipment room access
It may sound obvious that physical access to key buildings and sensitive areas within them should be carefully controlled, but all too frequently this is not the case, leaving the way clear for an intruder to enter unobserved.
Theft is frequently a motive for this kind of entry, sometimes enabled by careful social engineering and sometimes by the distraction of security staff, but it may also provide an attacker with the opportunity to introduce malware into a system.
Physical access to individual items of equipment
In addition to equipment room access, poor security can also allow an intruder to gain access to the individual systems where malware can be introduced. This often happens when a number of systems are located within a single rack space, so that having physical access to one automatically gives an intruder physical access to all the others.
Locking equipment cabinets is an obvious solution, but all too frequently keys are left in the cabinet lock.
Single points of failure
Any organization that delivers services over the internet, or indeed internally to its staff, must consider the possibility of single points of failure (SPoFs) as a major vulnerability.
These SPoFs include the main computer system, its operating system, software applications, firewall technology, network connectivity, web servers and any front-end load balancing systems.
The service design must take into account the possibility of failure of any one of these components, leading to an overall failure of service, and the design must be planned so that this does not happen.
Heating, ventilation and air conditioning (HVAC)
Key systems are invariably located in controlled environments such as computer and equipment rooms, but these bring about a potential single point of failure since all will rely on the environmental controls to maintain a steady temperature and humidity.
Provided that these are maintained within specified limits, the risk is minimal, but once the temperature changes, especially increasing beyond recommended levels, equipment can cease to operate.
However, some data centers now run their equipment rooms at slightly higher temperatures than those that are comfortable for humans, realizing that a few degrees increase in temperature will not cause problems, but will save a considerable amount of money in the long term.
The loss of or interruption to power is the main vulnerability of all systems, and whilst the loss for any long period of time can cause severe problems, equipment is rather more vulnerable to being powered off and on again repeatedly and is much more likely to suffer catastrophic failure.
These days, no self-respecting organization with a major IT infrastructure would consider anything but an uninterruptible power supply system to run their essential computer room or data center, and this would normally be backed up by a system of standby generation. Such systems often also provide power to other essential services such as those used by the supporting operations staff.
Cyber impacts or consequences are the results of some unwanted event – when a vulnerability has been exploited by a threat. Impacts come in many shapes and forms, but all require some sort of decision to be made.
Some impacts can be tolerated because they are not serious, but many cannot be tolerated and require some form of countermeasure, control or treatment in order to remove or minimize them.
Many impacts will be felt on a personal or individual level, whilst others will have a much wider impact on organizations. We’ll take a look at personal impacts first.
This section covers many of the impacts that will affect individuals in the home or SME environment as well as individuals working in larger corporate organizations.
Loss of or unauthorized changes to personal information
One of the most worrying impacts on individuals is the loss or exposure of personal information. This could be almost anything about our private or professional lives that we would prefer to keep to ourselves, but for whatever reason could become awkward or embarrassing if it became public knowledge.
It is amazing how much information you can accumulate about someone without either ever having heard of them before, or without them being in any way aware of the fact.
There are quite a number of people around the UK who share the same name as me, and who apparently have a very similar email address. I regularly receive emails intended for them.
Over a period of time, and quite unintentionally, I have built up a fuzzy picture of some of them. I know most of their full name; often their occupation; roughly, and in a couple of cases, exactly where they live; occasionally, their interests; and some of their shopping habits.
I am sure that if I put my mind to it I could find out much more, but the more important fact is that they either are completely unaware of this or are totally unconcerned that much of their personal information has reached a person for whom it was never intended.
This is due to one simple fact – they, or the person sending them an email, has typed their email address incorrectly.
Within the space of 48 hours, I found it necessary to contact a gardening company who needed the authorization to carry out work, a theatre where my namesake had tried to register for an account on their blogging system, and a company selling car wheels that my alter ego had ordered.
These are just recent examples – in the past, I have incorrectly received highly confidential cancer patients’ medical records and demands to pay armed services mess bills.
I always attempt to contact either the individual or the person who has emailed them, but whilst they could at least apologize for the inconvenience and thank me for pointing out their error, sadly all too frequently there is no response at all. Whatever happened to good manners when we joined the connected world?
Sometimes people give my mobile phone number instead of their own, and I have received numerous text messages from various organizations advising of delivery times and appointments. These two have told me where someone lives and what they have ordered, but I have (so far) resisted the temptation to text back and make changes!
We happily join social networks and post information about ourselves. Facebook, Twitter, and LinkedIn are just three examples of social networks where an enormous amount of information can be discovered about us, including our earlier education, university life, job history, interests and hobbies, family life and much, much more.
It’s not only individuals who can cause problems for themselves. Take the case of a CEO who was having regular meetings with the CEO of another organization with a view to a merger.
On one occasion he took his family with him and his teenage daughter posted a photograph of the town they visited, together with a comment about her father being in a meeting at a particular company.
Someone following her on the social network put two and two together and made a couple of telephone calls, which resulted in the fact of a highly sensitive discussion becoming public knowledge, affecting the companies’ share prices, and effectively ruining the entire project.
This is perhaps an extreme example, but it does illustrate the possible consequences of seemingly innocent actions.
Loss of or unauthorized changes to personal credentials
Individual people’s credentials are big business. Details of bank and credit card accounts, usernames, email addresses, passwords and the like are bought and sold on the internet for surprisingly little money.
An attacker who can acquire these in bulk can monetize the data in a number of ways – either by using the credentials himself to mount attacks on the individuals concerned or by selling on these credentials in bulk to others who are better equipped to mount the attacks.
The impact on the individual can be far-reaching, depending upon the type of credentials discovered. If the individual is lucky, they may discover the attack early on, and may just lose a small sum of money. If they are unlucky, it can be much more devastating.
Loss of money and other financial instruments
Money is a major motivator for cyber-attackers, so naturally, they will try to steal as much as they can if the opportunity presents itself.
In some situations, where the individual can show that they have taken due diligence over their credentials and have protected their computer and bank cards, as well as they, reasonably can, the finance organisation will accept responsibility for covering the losses, but where individuals have been careless or negligent, they have the potential to lose considerable sums of money.
A knock-on effect of this is that one’s financial standing or creditworthiness might also be affected, if, for example, the loss empties one’s bank account immediately prior to a direct debit being taken for a mortgage payment, and this is subsequently marked against the individual’s credit rating.
Damage to personal reputation
Cyber- attacks can easily ruin reputations. If you consider the example of someone whose email account is stolen, or whose account username is used by an attacker, it is quite simple to send out malicious emails that could destroy their reputation overnight.
More often, however, especially if the recipients know the individual well, they accept that the account has been abused, but the repercussions of having malicious communications sent to someone you don’t know are potentially far more serious.
Reputations are rather like eggs – very easily broken, and very difficult to piece back together again.
Loss of personal trust
Trust goes hand in hand with reputation. People with a sound reputation tend to be trustworthy and vice versa and the loss of trust in an individual implies that their word is no longer reliable.
The importance of trust cannot be overstated, whether this is in connection with a conventional business or with online transactions.
Loss of or unauthorized changes to intellectual property
The theft of IP is closely related to the theft of money since although no actual money is stolen, the potential to have earned it through sales will have been denied to the IP owner.
A secondary and rather more serious loss of IP is when an attacker steals the original material and claims it as their own, in which case the original IP owner will be at a very serious disadvantage.
An example of this type of loss reported by the Intellectual Property Office in its 2015/2016 IP Crime Report is that of the abuse of the set-top boxes designed to allow users to collect music, videos, photographs and games in a single application.
Illegal third-party add-on software can allow users to download pirated material from film companies and television companies. The report flagged this kind of IP theft as being one of the top three it is investigating.
Some years ago, a colleague was targeted by an organized group, who used her email address to send out hate mail to everybody in her list of contacts, stole money from her bank account, ran up credit card bills, and almost destroyed her personal and professional life.
However, she was actually extremely fortunate, as she discovered what had happened at an early stage and took remedial action to limit the damage, but whilst the perpetrators were identified, they were never brought to justice since they were beyond the jurisdiction of the European security services.
She believes that the reason for targeting her was that on several occasions she had been publicly very outspoken about the integrity of a large overseas organization.
Identity theft is often closely coupled with cyber theft, since an attacker may reveal their identity if they carry out too many actions using the stolen identity, whereas in the case of a quick ‘smash and grab’, the attacker can discard the identity as soon as they have the money.
This aspect of cybersecurity is rather new. In December 2016, in response to an article he had posted, Newsweek journalist Kurt Eichenwald reported having received a tweet containing flashing images that caused him to suffer an epileptic attack. Clearly, the sender was aware of Mr. Eichenwald’s medical condition, and the matter is under investigation by police in the USA.
Such conduct raises the question as to what might be the consequences, for example, for patients undergoing kidney dialysis at home with equipment that is internet-connected.
Many of the impacts that affect individuals will also affect organizations. However, because of the scale of organizations, both in terms of numbers of people and in the amounts of finance involved, the overall impacts will potentially be significantly greater. These could easily include partial or complete failure of an organization or severe job losses.
Brand and reputation
The organization’s brand will invariably suffer a major impact when a cyber-attack is successful, especially if it became clear that the organization concerned had not taken appropriate steps either to prevent the attack happening in the first place or because
it had failed to deal with it effectively once it had occurred. On occasions, it is because both of these have resulted in the organization losing intellectual property, or customer information.
Organizations that suffer this kind of impact may find that customers no longer trust them and decide not to do business with them in the future.
The impact on an organization’s revenue streams can be devastating. Cyber-attacks frequently result in an organization being unable to trade online since customers will be unable to place orders. This will not only cause an immediate loss of revenue but can often also result in downstream losses later on, as customers take their business elsewhere.
Following a successful cyber-attack that results in damage to the organization’s brand, the organization’s share price may well suffer a sharp decline. Under normal circumstances, a reduction in share value is a day-to-day occurrence and would not be a major cause for concern, but in these unusual circumstances, it might take an organization months or years to recover its share price.
Additionally, cyber-attacks can cause an organization to be unable to order goods from its suppliers, pay them for goods already received, or be unable to pay staff their wages or salaries.
Under certain circumstances, and particularly in highly regulated sectors, organizations can be fined for mismanagement of customer data, especially if their actions contravene data protection legislation.
They can also suffer further financial losses with interest being charged for late payments, especially to Her Majesty’s Revenue and Customs (HMRC) for late payment of corporation tax.
On top of any revenue losses, organizations will find that there are costs involved in putting matters right after a successful cyber-attack, which may include the introduction of remedial information security controls.
Also, as discussed earlier in this blog, there is the possibility that an organization will be subjected to a ransomware attack, and will have to pay the ransom to decrypt their data.
The alternative would be for the organization to face expending considerable effort in recovering all its affected systems. In some cases, the cost of such a recovery process could well exceed the ransom demanded.
If an organization’s operational systems, such as development systems, production control systems, stock control systems and the like are impacted by a cyber-attack, the impact would be potentially catastrophic, as the organization may be completely unable to operate for the duration of the problem.
Most, if not all of these, failures will inevitably link back to financial impacts, since the organization’s ability to provide its customers with products or services will result in loss of revenue, and quite possibly in damage to the organization’s brand and reputation.
An example of this is the case of the failure of a software upgrade at the Royal Bank of Scotland in June 2012, which resulted in 6.5 million customers being unable to access their online accounts, receive incoming payments and make transfers to either other accounts within RBS or other banks.
The bank was fined a total of £56 million by the various regulatory bodies. Whilst this is not a specific cybersecurity incident, it does illustrate what can happen when system upgrades are not tested prior to roll out.
The final impact that organizations might suffer following this kind of event is the loss of staff who have to be laid off due to the financial losses or operational failures, or who choose to leave the organization because they have lost faith in its ability to adequately plan for and respond to cybersecurity disruptions.