Many of these articles have been making there way around. A few comments about "Hackers" and some of their motivations along with some comments that seem to be a recurring theme in many breaches:
1. "Human error" is mentioned in nearly all of them, which typically means, Social Engineering/ phishing, poor password policies etc.
2. As a "malicious actor" with an on off switch, trust me when I tell you this Mr. /Ms CEO of Company XYZ .. If we hack your company and get money out of it WE WIN... If I hack you and tell the world it was me (using my handle) WE WIN.. If you refuse to pay our ransom and you lose your data WE WIN..
Many of the breaches and attacks people see aren't just nation states or criminal enterprises, many times it's small groups, or even nefarious individuals. One thing is for certain... Hackers... if nothing else are in it for the "lols"... If we can pwn you.. that's enough for us.
Something else you may want to think about is Data = Money, not only are we holding you for ransom so you can GET your data back, we've most likely exfiltrated that data and are selling it anyway. I know first had how much damage you can cause to an organization with a simple customer email list.... Imagine what we can do when we've had access to your servers/database etc for a month solid?
Think of Security as a three legged stool, Logical, Physical and Social Engineering. You can only balance on one or two legs for so long, at some point you'll come crashing down if you don't pay attention to all three. How many of these companies do you think practiced all three? How many of YOUR companies practice all three? (and no, phishing training and having a "facilities manager" does not even come close)
Don't bother answering.. I already know.. it's how we walk into companies like yours every single time. I once stood on a table in a lunch room and shouted.. I am a hacker.. I have access to your entire company... someone for the love of God report me.
No one did... and you think you're secure huh? These article are just one more reminder how important your security staff and PROPER training and 3rd party testing in ALL aspects really is...