Law firm: Phishing Still Top Cause of Data Security Incidents

In its sixth annual Data Security Incident Response (DSIR) Report, BakerHostetler found that phishing attacks ranked as the leading cause of data incidents among the 959 cybersecurity incidents the law firm helped clients manage last year. This is the fifth year in a row phishing proved to be the top cause of data security incidents in the law firm’s report.

According to the firm, their DSIR report is designed to help demystify incident response and serve as a resource to help organizations use risk-prioritized decision-making necessary to take practical steps to improve their cybersecurity posture and operational resiliency.

“This year’s DSIR Report provides an enlightening analysis of the cyber landscape before COVID-19 came into the picture. Threats continue to evolve, and the compromise intelligence our report offers can help organizations with their preparation efforts,” said Theodore J. Kobus III, chair of BakerHostetler’s digital assets and data management practice group. "Cybercriminals are already taking advantage of the situation created by COVID-19, and employees will inadvertently expose sensitive data or facilitate a ransomware attack. Organizations are rapidly evolving their working from home (WFH) guidelines due to the stay-at-home orders around the globe," he said.

According to BakerHostetler, the incidents in the report span all sized organizations and industries. The report also found that ransomware surged last year (confirming the findings of many other analyses of last year), and the firm expects no foreseeable slowdown in such attacks. "All industry segments were impacted. Manufacturing and professional services were particularly hard hit, followed closely by healthcare, education, and government entities,” the report said.

“Every organization is – in some form – a technology organization dealing with data. The issues highlighted in this year’s report are central to all organizations’ operations, which have become increasingly more regulated,” Kobus added.

Findings in this year’s report include:

• For the fifth year in a row, phishing remained the leading cause of incidents at 38%.
• Ransomware attacks are up, and there is no foreseeable slowdown. All industries segments are impacted, with top targets in manufacturing, professional services, healthcare, education, and government.
• The average cost of forensics investigations is decreasing because of increased reliance on technology.
• More organizations are self-discovering incidents.
• Healthcare breaches continue to attract regulatory scrutiny.
• Properly implemented multi-factor authentication (MFA) significantly reduces risk, yet many organizations are still not utilizing it.
• Privacy and security are board-level issues, and boards like metrics, so providers and organizations are increasingly using them to engage with executives and boards on risk-based approaches to these issues.
• The ransomware epidemic has brought business continuity and resilience to the forefront.
• Ransomware forces new targets like manufacturing, schools, municipalities, professional services, and other industries that were not targeted in the past (because they did not have data worth stealing) to prioritize and fund enhancements to their cybersecurity measures.
• Each year, new risks emerge, and there are new tactics, techniques, and procedures (TTPs). It is important to watch what is happening to others and adapt.

According to the report, the amount of ransom demanded and paid increased compared to year over year, as well. “Toward the end of the year, the epidemic worsened as a new threat actor group (Maze) upped the ante. They started stealing data before deploying ransomware and leaving a ransom note that pointed the victim to a website where Maze published a sample of the stolen data and threatened to release more unless the ransom was paid,” the report said.

According to the report, the largest ransomware demand in 2019 was $18.8 million, but the highest-paid was $5.6 million, with the average ransom payment coming in at $302,539. And for 96% of the time, an encryption key was received after payment. The good news that 73% of the time, the attacked organization managed to restore data or systems from a backup or otherwise managed without paying the criminals, but only 6% of the time did the breached data require disclosure to individuals.

According to the firm, regardless if the victim organization manages to restore from backup or if they pay the ransom, it can take weeks for the organization to get back to normal operations.

We’ve written about business email compromise (BEC) numerous times, and according to BakerHostetler’s report, notwithstanding all of the increased focus and investments designed to secure against BEC attacks, these attacks continue. “Human error remains the leading reason the criminals behind the attacks continue to succeed – employees continue to be tricked by phishing emails into entering their email account credentials or by spoofed emails into changing wiring instructions,” the report found.

While ransomware incidents only triggered 6% data breach notifications, BEC created such notices 70% of the time.

According to BakerHostetler, the average number of days from a data breach to detection was 12 days, with containment being three days from detection, with notification being 38 days. Getting those notifications out in that timeframe is no small challenge. ”Organizations feel the pressure to notify individuals and regulators as quickly as possible. They want to be transparent. They also have beliefs about “misses” by other organizations that faced prior incidents. And some are hearing metrics from security teams that measure dwell time, triage, investigation, and remediation in seconds and minutes using security automation tools. Add in other organizational pressures, and you have scenarios where the group responsible for making decisions can feel paralyzed by competing considerations and uncertainty,” the report said.

“Until you have worked through the investigation of an incident, it is hard to appreciate the practical challenges organizations face in quickly and accurately determining what occurred so notification obligation decisions can be made and appropriate communications prepared,” the report continued.

That's all undoubtedly true, but as the data breaches continue to add up year after year, it's also something organizations seem to be getting all too much practice.