The BakerHostetler 2017 Data Security Incident Response Report is now out, providing detailed analysis of the 450-plus cyber incidents that the Cleveland-headquartered firm’s privacy and data protection team handled in 2016.
Phishing, hacking and malware incidents accounted for the plurality of incidents for the second year in a row, at 43% – a 12% jump from 2015. The only category in which phishing/hacking/malware was not the most common incident cause was finance and insurance, where employee action/mistake came out on top.
Notably 64% of breaches were internally discovered and reported compared to 52% in 2015. (See below for other key statistics, it’s worth a look – this isn’t your token ‘here’s our zero-fact report’ we see far too often.)
Ransomware attacks – where malware prevents or limits users from accessing their system until a ransom is paid – have increased by 500% from the last report, according to industry research. The BakerHostetler report details the typical ransomware scenario and the challenges that such incidents present.
Included in the report is a checklist of actions companies can take to minimize their risk against these attacks and to respond promptly and thoroughly should a cyber breach occur. Topping the list is increasing awareness of cybersecurity issues through training and education. In addition, the report lists six other core steps most businesses should take to prepare for an incident and mitigate risk.
Theodore Kobus, head of BakerHostetler’s privacy and data protection team, said: “Like other material risks companies face, cybersecurity readiness requires an enterprise wide approach tailored to the culture and industry of the company. There is no one-size-fits-all approach.”
He adds: “It’s no longer a question of which industries are most at risk. All industries are faced with the task of managing dynamic data security risks. Even companies in the retail, restaurant and hospitality industries, while highly regulated, had the fourth-highest rate of data security incidents.”
Key statistics from BakerHostetler’s 2017 Data Security Incident Response Report:
Incident causes: Phishing/hacking/malware 43%, employee action/mistake 32%, lost/stolen device or records 18%, other criminal acts 4%, internal theft 3%.
Industries affected: Healthcare 35%, finance and insurance 16%, education 14%, retail/restaurant/hospitality 13%, other 9%, business and professional services 8%, and government 5%.
Company size by revenue: Less than $100 million 39%, between $100 million and $500 million 33%, $500 million to $1 billion 17%, and greater than $1 billion 11%.
Most breaches discovered internally: 64% of breaches were internally discovered (and self-reported) compared with 36% that were externally discovered. In 2015, only 52% of incidents were self-reported.
Incident response timeline: On average 61 days from occurrence to discovery; eight days from discovery to containment; 40 days from engagement of forensics until investigation is complete; 41 days from discovery to notification.
Notifications and lawsuits filed: In 257 incidents where notification to individuals was given, only nine lawsuits were filed. This is partially explained by companies being prepared to better manage incidents.
No notification required: 44% of incidents covered by the report required no notification to individuals – similar to 2015 results.
Average size of notification: Incidents in the retail/restaurant/hospitality industry had the highest average notification at 297,000, followed by government at 134,000 and healthcare at 61,000. All other industries had less than 10,000 notifications per incident.
Forensic investigation costs: The average total cost of forensic investigations in 2016 was $62,290, with the highest costs in excess of $750,000.
Healthcare: The number of incidents rose last year, but the average size of the incidents decreased. Of the incidents analyzed by the BakerHostetler report, 35% were in healthcare, yet the average size of the incident notification was 61,000 – only the third highest of all industries surveyed.
Triggering state breach notification laws: Just over half of cyber incidents last year (55%) were subject to state breach notification statutes – down slightly from the year prior. Of the incidents where notification was required, the highest percentages were those involving Social Security numbers (43%) and healthcare information (37%). Only 12% of cases involved payment card data.
Active state attorneys general: AG’s made inquiries after notifications were made in 29% of incidents, although overall regulatory investigations and inquiries were down to 11% in 2016, from 24% in 2015, and litigation was down to 3% last year compared with 6% the prior year.
Back to the basics
The first line of defense in protecting a company’s data and reputation during a cybersecurity incident is to outfit the organization with baseline procedures and processes to reduce the company’s risk profile. By focusing on key areas like employee awareness and education, companies can help prevent incidents while laying the groundwork for a successful response and reducing the likelihood events will be severe should they happen.
Employees are often cited as a company’s greatest asset. In the cybersecurity arena, they can also be a liability. The report’s numbers reinforce the ongoing need to focus on effective employee awareness and training. They also show that a defense-in-depth approach is necessary, because even well-trained employees can make mistakes or be tricked.
The full 2017 BakerHostetler Data Security Incident Response Report can be found here. The Privacy and Data Protection team will host a webinar on the findings on May 9 at noon ET. Kobus also will be participating in a morning panel titled, “Shakedown Street: Cyber Extortion, Data Breach and the Dirty Business of Bitcoin” on April 20 at the Global Privacy Summit in Washington, D.C.