Recently the law firm BakerHostetler released its 2018 Data Security Incident Response Report taking note of the 560 security incidents experienced by their clients in 2017. The report called for "compromise readiness" - or "cyber resilience" - to mitigate the severity of possible cyber attacks. The net net is that businesses are still not executing the basics in their security protocols. The following is a quick summary from their report and links to a deeper dive into the report in addition to a link to the report itself:
According to the report, phishing remained the leading cause of incidents at 34 percent, followed by network intrusions at 19 percent, inadvertent disclosure (such as an employee mistake) at 17 percent and stolen or lost devices/records at 11 percent. A new category this year is system misconfiguration, which reflects instances where unauthorized individuals gain access to data stored in the cloud because permissions were set to "public" instead of "private," and was responsible for six percent of incidents.
Increased Regulatory Scrutiny
Entities also need to be aware that regulators have become aggressive in investigating breaches, with upticks in not only the number of inquiries by regulators (i.e. 64 by state attorneys general and 43 non-AG investigations in 2017 compared to 37 state AGs and 29 non-AG investigations in 2016), but also in the speed by which they are being made. And when the General Data Protection Regulation (GDPR) and its quick notification and onerous financial consequences for non-compliance become effective on May 25, 2018 for entities established in the EU, the regulatory landscape will be even more challenging.
One of the most important features of the Report is the incident response timeline, which identifies the four key time frames of the incident response lifecycle - detection, containment, analysis, and notification. This timeline gives entities context for understanding the timing of when they will have reliable information to facilitate communication about the incident.
Overall incident response times for 2017 were 66 days from occurrence to discovery (an increase of five days from 2016), three days from discovery to containment (an improvement of five days from 2016), 36 days from engagement of forensics team to investigation complete (four days faster than the previous year), and 38 days from discovery to notification (three days better than 2016).
Forensics Drives Key Decisions
In the data breach incidents analyzed in the Report, 41.5 percent employed the use of outside forensic investigators. The average cost of a forensic investigation was $84,417 in 2017 compared with an average cost of $62,290 in 2016. "The ability to quickly and efficiently conduct a forensic investigation is critical to helping answer essential questions about the incident, including: What happened? How did it happen? How do we contain it? Who do we need to inform? How can we protect affected individuals?" noted Kobus.
Other interesting trends/numbers from this year's analysis include:
Ransomware was involved in 18 percent of the phishing incidents and 38 percent of the network intrusion incidents.
Size doesn't matter regarding the likelihood of being breached. In the incidents covered by the Report there was a fairly even number of incidents by entities with revenues between $10 million and $100 million, $100 million and $500 million, $500 million and $1 billion, and $1 billion and $5 billion - with mere percentage points separating those categories.
Detection. 65 percent of breaches that the firm worked on were detected internally.
What data is at risk? Incidents included in the 2017 survey involved the following types of data - Social Security numbers (46 percent), healthcare information (39 percent), all other confidential information, such as student ID numbers, usernames and passwords - (26 percent), birth dates (24 percent), financial data (15 percent), payment card industry data (12 percent), and driver's license information (10 percent).
Notifications v. Lawsuits. Out of the 560 total incidents in the Report, 350 required notifications to individuals affected, and 10 resulted in lawsuits filed.
Average size of notification and industry most affected. While the average number of individuals notified per incident was 87,952, the hospitality industry again had the highest average number of notifications per incident at 627,723.
Data breach litigation is surviving motions to dismiss and proceeding to discovery, where plaintiffs seek breach investigation records and challenge defendants' assertions that the investigations are protected by various legal privileges.
It's another reinforcement that your work securing your enterprise is on the frontlines of the cyber war. If you need help with those efforts please let your Board know. We are currently executing the planning of our programming and working to develop a Do It Now campaign to help you with the cyber hygiene aspects of your vulnerabilities.
You can read an even deeper dive summary on the report here, or read the report itself (after providing your information) here.