In advance of Data Privacy & Protection Day, the Online Trust Alliance, an Internet Society initiative, just released the Cyber Incident & Breach Trends Report (press release here), a look back at the cyber incident trends in 2017 and what can be done to address them. This report marks the tenth year OTA has provided guidance in this area, and while the specifics have certainly changed over time, the core principles have not.
Originally we just looked at the number of reported breaches, but last year we broadened the definition to “cyber incidents,” which includes ransomware infections, business email compromise (BEC), distributed denial-of-service (DDoS) attacks and infiltrations caused by connected devices. This broader definition paints a more realistic picture of the threats and associated impact facing organizations today.
This year we found that the number of cyber incidents nearly doubled to 159,700 globally, and given that most incidents are not reported, this number could easily exceed 350,000. This is more than 30 times the number of breaches alone, so provides a very different perspective on the threat landscape. As in previous years we also assessed the “avoidability” of breaches by analyzing their cause and found that 93% were avoidable, consistent with our previous findings. While the rise in the number of incidents was primarily driven by a doubling in ransomware infections, there was growth in all facets, indicating that organizations must take a comprehensive view of their defenses.
So, what were the major trends seen in 2017 and what can be done about them? The report provides more context and detail, but here is a summary of the key findings:
- Rise in Ransom-Based Attacks. This attack vector far outweighs the others, at least in terms of numbers. Ransom-based attacks can come in the form of ransomware entering the organization through malvertising and malicious email, but also via the threat of a DDoS attack if ransom is not paid. There are a variety of best practices to help block such attacks, but one new suggestion is to be prepared in case a ransom payment is deemed necessary by setting up a cryptocurrency wallet ahead of time.
- Patching Pace is Critical. While the Equifax breach was probably the most public example of the impact of slow patching, lack of timely patching is the cause of many breaches and incidents. Recent news about vulnerabilities in some of the most foundational system elements – KRACK, BlueBorne, Spectre and Meltdown – makes timely patching more critical than ever. Organizations need to take a disciplined approach here, including provision for vulnerability reporting, and test and deploy patches as quickly as possible.
- Closely Monitor Cloud Conversion. The transition to third-party, cloud-based services continues for organizations of all sizes, and while it has advantages in convenience and efficiency, it also introduces new risks since your data is now in someone else’s hands. This risk can be offset via thorough auditing of cloud providers, contractual commitments related to security processes and extra diligence regarding configuration (publicly accessible AWS S3 containers, anyone?)
- User-Enabled Attacks. With all the technology, it’s easy to forget that users are the most important gatekeepers to your systems and data. Equipping them to make good decisions and instilling a culture of security (whether via training or technology tools), providing an extra ring of defense (through mechanisms such as multi-factor authentication and limiting access levels appropriate to the role) and monitoring systems for anomalous behavior can go a long way toward securing your systems.
- Increase in IoT Devices. There’s a lot of buzz in this area, and use of IoT devices is expected to triple in the next several years, but the “shadow” element of this trend – presence of consumer-grade connected devices such as smart TVs or even employees’ wearables – doesn’t get much attention. These devices need to be viewed as a threat vector, and as such, steps need to be taken to reduce their risk. This includes items such as research into the security capabilities of the IoT devices, policies regarding their use in the enterprise, and setting up compartmentalized networks to limit their access.
- Regulatory Shifts. Led by the EU’s General Data Protection Regulation (GDPR), which goes into effect this May, there have been many recent and significant shifts in data privacy/protection and data breach regulation throughout the world. Even if you are not based in those countries, you are likely subject to these regulations if you have customers there, so a thorough understanding of these new regulations and their impact on your data collection and storage practices as well as on your breach readiness and notification plans is critical.
Though there are a number of key trends that bubbled to the surface in 2017, there are also a number of foundational principles organizations should follow to be good stewards of their data and minimize the impact of attacks or incidents. Broadly defined, these principles fall into two categories:
- Implement strong data stewardship (including security, privacy and risk reduction) through all phases of the data lifecycle, recognizing the global regulatory landscape and its impact on breach readiness (e.g., GDPR enforcement beginning in May 2018)
- Prepare strong, well-practiced incident response measures (including a well-designed plan, appropriate team, predetermined action steps, regular training and testing)
As OTA has advocated for many years, this is not a “once and done” proposition. By establishing a culture of stewardship (vs just compliance) and implementing policies that take a proactive approach to proper handling and safeguarding of data, organizations can minimize exposure to the cyber incident tsunami and actually thrive by building and maintaining trust with their customers.