I finally had a chance to go through the BakerHostetler 2017 Data Security Incident Response Report. The report provides a broad range of lessons to help executives identify risks, appraise response metrics and apply company-specific risk mitigation strategies based on an analysis of more than 450 cyber incidents that BakerHostetler's Privacy and Data Protection team handled last year. The firm's experience shows that companies should be focused on the basics, such as education and awareness programs, data inventory efforts, risk assessments, and threat information sharing.
Phishing/hacking/malware incidents were the leading cause of incidents for the second year in a row, at 43 percent – a 12 percentage point jump from 2015. The only category for which phishing/hacking/malware was not the most common incident cause was finance and insurance, where employee action/mistake was the top reason.
With respect to ransomware attacks, the BakerHostetler report details the typical ransomware scenario and the challenges that such incidents present. "Having a regularly scheduled system backup and a bitcoin wallet to pay a ransom will help with operational resiliency. Ransomware is not likely to go away, and incidents will probably increase over the short term, so companies should be prepared," said Theodore Kobus, leader of the Privacy and Data Protection team.
I note wryly that less than half of cybercriminals will offer up the decryption key even if they are paid the ransom. But I understand that it is one more avenue (if an ugly and unreliable one) of preparedness.
Included in the report is a checklist of actions companies can take to minimize their risk against these attacks and to respond promptly and thoroughly should a cyber breach occur. Topping the list is increasing awareness of cybersecurity issues through training and education - and we have seen a tsunami of requests for such training.
Key statistics from the report:
Incident causes: Phishing/hacking/malware 43%, employee action/mistake 32%, lost/stolen device or records 18%, other criminal acts 4%, internal theft 3%.
Industries affected: Healthcare 35%, finance and insurance 16%, education 14%, retail/restaurant/hospitality 13%, other 9%, business and professional services 8%, and government 5%.
Company size by revenue: Less than $100 million 39%, between $100 million and $500 million 33%, $500 million to $1 billion 17%, and greater than $1 billion 11%.
Most breaches discovered internally: 64% of breaches were internally discovered (and self-reported) compared with 36% that were externally discovered. In 2015, only 52% of incidents were self-reported.
Incident response timeline: On average 61 days from occurrence to discovery; eight days from discovery to containment; 40 days from engagement of forensics until investigation is complete; 41 days from discovery to notification.
Notifications and lawsuits filed: In 257 incidents where notification to individuals was given, only nine lawsuits were filed. This is partially explained by companies being prepared to better manage incidents.
No notification required: 44% of incidents covered by the report required no notification to individuals – similar to 2015 results.
Average size of notification: Incidents in the retail/restaurant/hospitality industry had the highest average notification at 297,000, followed by government at 134,000 and healthcare at 61,000. All other industries had less than 10,000 notifications per incident.
Forensic investigation costs: The average total cost of forensic investigations in 2016 was $62,290, with the highest costs in excess of $750,000.
Healthcare: The number of incidents rose last year, but the average size of the incidents decreased. Of the incidents analyzed by the BakerHostetler report, 35% were in healthcare, yet the average size of the incident notification was 61,000 – only the third highest of all industries surveyed.
Triggering state breach notification laws: Just over half of cyber incidents last year (55%) were subject to state breach notification statutes – down slightly from the year prior. Of the incidents where notification was required, the highest percentages were those involving Social Security numbers (43%) and healthcare information (37%). Only 12% of cases involved payment card data.
Useful reading to be sure – I hope the firm continues to issue these reports. And I sense a good podcast topic here for Legal Talk Network's Digital Detectives. :-)
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology