The recently released BakerHostetler 2017 Data Security Incident Response Report highlights the critical need for senior executives in all industries to understand and be ready to tackle the legal and business risks associated with cyberthreats and to have enterprisewide tactics in place to address intrusions before they happen.
At the same time, Dell just released the results of its Dell End-User Security Survey, which finds that not only are many employees likely to share confidential information, but that they are doing so without proper data security protocols in place or in mind.
The BakerHostetler report
The BakerHostetler report provides a broad range of lessons to help executives identify risks, appraise response metrics and apply company-specific risk mitigation strategies based on an analysis of more than 450 cyber incidents that BakerHostetler’s Privacy and Data Protection team handled last year. The firm’s experience shows that companies should be focused on the basics, such as education and awareness programs, data inventory efforts, risk assessments, and threat information sharing.
Theodore Kobus, leader of the Privacy and Data Protection team, said, “Like other material risks companies face, cybersecurity readiness requires an enterprisewide approach tailored to the culture and industry of the company. There is no one-size-fits-all approach.”
Why incidents occur
Phishing/hacking/malware incidents accounted for the plurality of incidents for the second year in a row, at 43 percent—a 12 percentage point jump from a year earlier. The only category for which phishing/hacking/malware was not the most common incident cause was finance and insurance, where employee action/mistake was the top reason.
Ransomware attacks—where malware prevents or limits users from accessing their system until a ransom is paid—have increased by 500 percent from a year earlier, according to industry research. The BakerHostetler report details the typical ransomware scenario and the challenges that such incidents present. “Having a regularly scheduled system backup and a bitcoin wallet to pay a ransom will help with operational resiliency. Ransomware is not likely to go away, and incidents will probably increase over the short term, so companies should be prepared,” added Kobus.
Included in the report is a checklist of actions companies can take to minimize their risk against these attacks and to respond promptly and thoroughly should a cyber breach occur. Topping the list is increasing awareness of cybersecurity issues through training and education. In addition, the report lists six other core steps most businesses should take to prepare for an incident and mitigate risk.
Kobus continued, “It’s no longer a question of which industries are most at risk. All industries are faced with the task of managing dynamic data security risks. Even companies in the retail, restaurant and hospitality industries, while highly regulated, had the fourth-highest rate of data security incidents.”
A look at the numbers
Key statistics from BakerHostetler’s 2017 Data Security Incident Response Report include:
Incident causes: Phishing/hacking/malware 43%, employee action/mistake 32%, lost/stolen device or records 18%, other criminal acts 4%, internal theft 3%.
Industries affected: Healthcare 35%, finance and insurance 16%, education 14%, retail/restaurant/hospitality 13%, other 9%, business and professional services 8%, and government 5%.
Company size by revenue: Less than $100 million 39%, between $100 million and $500 million 33%, $500 million to $1 billion 17%, and greater than $1 billion 11%.
Most breaches discovered internally: 64% of breaches were internally discovered (and self-reported) compared with 36% that were externally discovered. In 2015, only 52% of incidents were self-reported.
Incident response timeline: On average 61 days from occurrence to discovery; eight days from discovery to containment; 40 days from engagement of forensics until investigation is complete; 41 days from discovery to notification.
Notifications and lawsuits filed: In 257 incidents where notification to individuals was given, only nine lawsuits were filed. This is partially explained by companies being prepared to better manage incidents.
No notification required: 44% of incidents covered by the report required no notification to individuals—similar to 2015 results.
Average size of notification: Incidents in the retail/restaurant/hospitality industry had the highest average notification at 297,000, followed by government at 134,000 and healthcare at 61,000. All other industries had less than 10,000 notifications per incident.
Forensic investigation costs: The average total cost of forensic investigations in 2016 was $62,290, with the highest costs in excess of $750,000.
Healthcare: The number of incidents rose last year, but the average size of the incidents decreased. Of the incidents analyzed by the BakerHostetler report, 35% were in healthcare, yet the average size of the incident notification was 61,000—only the third highest of all industries surveyed.
Triggering state breach notification laws: Just over half of cyber incidents last year (55%) were subject to state breach notification statutes—down slightly from the year prior. Of the incidents where notification was required, the highest percentages were those involving Social Security numbers (43%) and healthcare information (37%). Only 12% of cases involved payment card data.
Active state attorneys general: AG’s made inquiries after notifications were made in 29% of incidents, although overall regulatory investigations and inquiries were down to 11% in 2016, from 24% in 2015, and litigation was down to 3% last year compared with 6% the prior year.
Back to the basics
The first line of defense in protecting a practice’s data and reputation during a cybersecurity incident is to outfit your organization with baseline procedures and processes to reduce the practice’s risk profile. By focusing on key areas like employee awareness and education, practices can help prevent incidents while laying the groundwork for a successful response and reducing the likelihood events will be severe should they happen.
“Employees are often cited as a company’s greatest asset. In the cybersecurity arena, they can also be a liability. The report’s numbers reinforce the ongoing need to focus on effective employee awareness and training. They also show that a defense-in-depth approach is necessary, because even well-trained employees can make mistakes or be tricked,” said Kobus.
Employees and security breaches
According to the Dell End-User Security Survey, today’s workforce is caught between two imperatives: be productive and efficient on the job and maintain the security of company data. Like the BakerHostetler report, this survey also suggests that to address data security issues, companies must focus on educating employees and enforcing policies and procedures that secure data wherever they go—but without hindering productivity.
Employees likely to share confidential information
Dell’s survey found that among those who work with confidential information on a regular basis, there is a lack of understanding in the workplace on data security policies and how confidential data should be shared. This lack of clarity and confusion is not without merit; there are many circumstances under which it makes sense to share confidential information in order to push business initiatives forward.
Three in four employees say they would share sensitive, confidential, or regulated company information under certain circumstances for a wide range of reasons including:
- Being directed to do so by management (43 percent)
- Sharing with a person authorized to receive it (37 percent)
- Determining that the risk to their employer is very low and the potential benefit of sharing information is high (23 percent)
- Feeling it will help them do their job more effectively (22 percent)
- Feeling it will help the recipient do their job more effectively (13 percent)
Four in five employees in financial services (81 percent) would share confidential information, and employees in education (75 percent), healthcare (68 percent) and federal government (68 percent) are also open to disclosing confidential or regulated data at alarmingly high rates.
Further, Dell’s survey finds that when employees handle confidential data, they often do so insecurely by accessing, sharing and storing the data in unsafe ways.
Twenty-four percent of respondents indicated they do so to get their job done and 18 percent say they did not know they were doing something unsafe. Only 3 percent of respondents said they had malicious intentions when conducting unsafe behaviors.
“When security becomes a case-by-case judgement call being made by the individual employee, there is no consistency or efficacy,” said Brett Hansen, vice president of Endpoint Data Security and Management at Dell. “These findings suggest employees need to be better educated about data security best practices, and companies must put procedures in place that focus first and foremost on securing data while maintaining productivity.”
Unsafe behaviors common in the workplace
Forty-five percent of employees admit to engaging in unsafe behaviors throughout the work day. These behaviors include
- connecting to public Wi-Fi to access confidential information (46 percent),
- using personal email accounts for work (49 percent), or
- losing a company-issued device (17 percent)
One in three employees (35 percent) says it is common to take corporate information with them when leaving an employer.
Employees also take on unnecessary risk when storing and sharing their work, with 56 percent using public cloud services such as Dropbox, Google Drive, iCloud and others to share or back-up their work, and 45 percent of employees will use email to share confidential files with third-party vendors or consultants.
Employees want to protect data but don’t know how
Dell’s survey findings also indicate that employees struggle with cybersecurity in the workplace. They do not want to see their employer suffer a data breach, but they feel security programs can limit their day-to-day activities and productivity.
- Nearly two in three employees (65 percent) feel it is their responsibility to protect confidential information, including educating themselves on possible risks and behaving in a way that protects their employer.
- Thirty-six percent of employees feel very confident in their knowledge of how to protect sensitive information.
- Twenty-one percent feel it is difficult to keep up with changing security guidelines and policies, and 22 percent say they are worried that someday they will do something by mistake and cause damage to their employer.
- Nearly two in three (63 percent) employees are required to complete cybersecurity training on protecting sensitive data. However, of those who received cybersecurity training, 18 percent still conducted unsafe behavior without realizing what they were doing was wrong, whereas 24 percent conducted unsafe behavior anyway in order to complete a task.
Conclusion
Hansen notes that while every employer has different security needs, these surveys show how important it is that all employers understand the daily tasks and scenarios in which employees may share data in an unsafe way. Your data security solution needs to achieve the balance between protecting your data and enabling your employees to stay productive.
The full 2017 BakerHostetler Data Security Incident Response Report can be found here. The Privacy and Data Protection team will host a webinar on the findings on May 9 at noon ET.
