This is a short list of common reasons why companies get hacked and why data breaches occur. Learn from the past to improve the future.
The human factor is still the most important reason for breaches. CEO Fraude, phishing (and variants), insider threat, but also human error during the deployment or development of a product. The latter is where DevSecOps can help. The more hands touch a product on its way to production, the higher the risk of some error being introduced.
The human error is a difficult factor to avoid. Having a proper authentication mechanism in place does not prevent people from having post-its with their passwords sticked to their monitors. A good way to reduce the likelihood of human error is increasing cyber security awareness, embracing proper development principles and CI/CD practices and automating as much as possible.
Source code scanning
Application source code isn't checked before it is deployed on a regular basis or at all. Source code may (read: will) contain bugs and security issues. The same goes for your application's third-party dependencies. Perform regular source code reviews and integrate (security) checks in your CI/CD pipelines.
Exposing source code repositories
Source code repositories that are exposed to the public provide insight into the inner workings of your software. If that ends up in the wrong hands, it can be analyzed for ways to get through to the system. Even worse when the source code can be modified for example to create a backdoor without your knowledge.
Using default passwords
Failure to change default passwords on devices apps and systems. A lot of hardware, IoT, software will be installed with default passwords to help set them up. Hacking 101: Find out which type of firewall or router is being used. Go online, check the manual for what the default password is. More often than not people have added other accounts, but forgot to remove the default one. An easy Shodan.io search will reveal many Internet-facing devices with their default passwords still used.
Also weak passwords should be mentioned here. One recent example is the SolarWinds hack where the password of a critical server was 'solarwinds123'.
Poor patching practices
The time between a security patch being released and applying that patch is a window of opportunity for hackers. My article about the WannaCry ransomware has a section about this. When zero-days come out, treat them as a very serious situation. Hackers configure them into their scanning tools. Especially when a zero-day is released with a proof-of-concept on how to exploit it. The longer you wait with patching, the more exposed you're going to be. Another example of this is the Equifax data breach. This breach could occur because Equifax did not apply the Apache Struts patch onto their servers.
Failing to detect intrusion or attempted intrusion
The average time it takes to detect and contain a breach is 280 days (Source: IBM. That means a hacker will be in your system, moving around for quite a long time before you detect them.
In 2018, Marriot announced hackers were able to steal data undetected for about 4 years. They had access to credit card and passport numbers, birthdates, phone numbers and hotel arrival and departure dates. 383 million guests were affected. If you get detect a breach, chances are that the actual hack happened months ago.
In the aforementioned Solarwinds hack, Russian hackers were able to breach SolarWinds’s own email system and lurk there for 9 months.
Unless you have a very tight IDS / IPS system and are on top of alerts so you can detect behaviour changes when they occur, you're not able to detect the attack when it's happening and they will be long gone after you realised you were hacked.
The sentiment behind the following KiwiCon poster from 2009 is still very relevant nowadays: