The cyber threat landscape has changed dramatically over the past twelve months, with the definition of incidents expanding significantly beyond reported data breaches. Organizations large and small have been the target of attacks that stole, published or manipulated sensitive, personal information. Confidential medical data and personal records of world-class athletes became public when the Olympic Anti-Doping Agency database was breached and the records published.1 The scope of the Yahoo breach including some 1 billion records has redefined the landscape as well as opened up the debate on ethical breach reporting.2 In the tumultuous months of the U.S. presidential election, the Democratic National Committee faced multiple attacks not focused on consumer data but on the political strategy of the organization.3 These headlines remind us that no organization or government entity is immune when targeted by skilled adversaries. Organizations must pivot from an outlook solely focused on prevention to one of readiness, working to limit the impact of any cyber incident.
Each year the stakes get higher. Larger and more costly cyber incidents coincide with annually increasing regulatory and liability pressures. On a global basis the number of breaches are estimated to be on par with prior years, but most concerning is the number of consumer records exposed is estimated to exceed 4.2 billion.4
The real story is not with these breach numbers but the total number of incidents including loss of corporate data, ransomware, incidents not involving covered information, and unreported breaches. Phishing emails have become a common occurrence. According to the FBI, losses from Business Email Compromises increased 1300% in 2016 with losses exceeding $3.1 billion.5 At the same time ransomware device infections averaged 35,000 per month with the average ransom paid doubling to nearly $700.6 The FBI estimates ransomware payments in 2016 are expected to hit a billion dollars, up from just $24 million in 2015.7 Security firm Malwarebytes’ survey of 500 companies found one- third have been impacted by a ransomware attack.8 Not only have DDoS attacks increased 58%, but most concerning is the peak attack size and intensity increasing 82%.9
Combined, OTA’s analysis and tracking of threat intelligence data from multiple sources has revealed the true number of incidents is over twenty times that of consumer data breaches publically reported. Based on preliminary year-end data, on an annualized global basis this equates to over 82,000 incidents impacting more than 225 organizations daily.10 As the majority of incidents are never reported to executives, law enforcement or regulators, the actual number of incidents causing harm combining all vectors including DDoS attacks could exceed 250,000.
As society and world economies are increasingly reliant on the internet and data, we are facing a critical juncture. As reported by the Internet Society, online trust is at an all-time low with 59% of users reporting they would likely not do business with a company that had suffered a data breach.11 While we have reaped the benefits of the exponential growth of the internet, the number, scale and scope of cyber incidents is reshaping the future as we know it. Compounded in part by abusive privacy practices, government surveillance, deceptive news and advertising, consumer trust has been significantly tarnished.
These metrics illustrate the need for all stakeholders, including industry, policy makers and governments, to take decisive action. The recurring incidents have an additive, long-term effect on society not unlike global warming and carbon emissions. We are facing the tragedy of the trust commons which, left unaddressed, can and will have significant impact to society and world economies.
Cyber Security Tenets
- There is no perfect security and any organization is at risk; most organizations hold data of interest.
- Organizations must make security a priority; those that fail to adopt sound practices will be held accountable.
- Organizations need to look beyond the impact and cost of a “traditional data breach” to the life safety and physical impact of an incident, damage to an organization’s reputation and risks to users.
- Business incentives are needed to accelerate “security by design” along with the need for annual security assessments of sites, applications services and devices.
- Signaling of commitment to security and privacy can become product and brand differentiators.
- Employee training and awareness must be addressed to help close the security technology gaps.
Threats Beyond Data Loss
The reality is that measuring an incident by the number of records lost or exposed is only one indicator. Increasingly, the motivations may be to create disruption and damage the reputation and trust of the organizations. The recent DDoS attacks are case in-point, making several high visibility sites inaccessible for several hours. The impact could be significant lost revenues if the attack were timed for maximum disruption. Phishing is getting harder to distinguish from legitimate emails and sites reflecting criminal’s increased skills and ability to a mimic organization. Other more focused financial and disruptive attacks have been spearphishing and malvertising, focused on credentials as a dominant threat vector.12 More disruptive is the rise of extortion or “ransomware” targeting high net worth companies timed for maximum disruption and payouts targeting professional services and manufacturing sectors.13 As loT devices are becoming commonplace in the home and office, we have witnessed a security “blind spot” where unauthenticated email security notifications are being spoofed driving unauthorized password resets and devices being botted as a result of users downloading malicious updates.14 15 (See Best Practice #7, page 15)
Regardless of type, cyber incidents lead to business interruption, unanticipated costs and threats to security and privacy. Raising the complexity and business risk is the increasingly intricate technology landscape. Due to the explosive proliferation of mobile and “Internet of Things” connected devices, the risk of an incident has been amplified. Further, the regulatory landscape is also changing. The Federal Communication Commission (FCC) recently enacted privacy rules which also include breach notification requirements for broadband providers and carriers.16 This rule making may have implications to others including edge-providers and commerce sites.
A potential greater impact is the EU General Data Protection Regulation (GDPR) which includes comprehensive data protection regulations. While a company may not have a physical nexus in the EU, the directive could be enforced if a single EU citizen is directly impacted, with fines of up to 4 percent of a company’s global revenue.17 (See Regulatory Landscape on page 34)
Benefits of Readiness
The financial benefits of effective incident readiness are significant. As discussed in the Guide, effective planning requires anticipating decision-points. Evaluating scenarios in advance and running tabletop exercises help organizations optimize decision-making aligned to their (and their investors’) strategic goals and objectives. Not only is there the benefit of lowering the risk of an incident, establishing a robust incident response plan can dramatically reduce the impact of an incident. Having demonstrable processes including internal and partner risk assessments and business continuity plans can potentially lower cyber insurance premiums.
According to the Ponemon Institute, the global average cost of a breach has risen almost 14% in the past two years to $4 million in 2016. In the U.S. data losses have increased to $7 million.18 While such data is helpful, it does not account for other externalities. In cases of business interruption such as ransomware freezing data assets and demanding payment, the lost revenue from business down-time compounds the costs. Typical business ransom payouts are often are in the tens of thousands of dollars, yet the real cost is the business down-time and long-term risk of compromised data integrity.19 Even as direct costs are rising, another externality – the costs to users – remains largely undefined from the business perspective, but clearly impacts brand reputation.
Penalties levied for incidents can be significant. For example, the FCC’s enforcement action against AT&T resulted in a $25 million fine.20 Failure to perform risk analysis, failure to implement broadly accepted security practices such as encryption, ignoring third party vulnerabilities reports and failure to ensure third parties comply with security and privacy requirements are some of the top factors cited in lawsuits, and regulatory and enforcement actions.21
Together, these incidents underscore how risk assessment and preparation pay off. In addition to aiding in protection against an incident and reducing exposure to regulatory action, commitment to best practices allows faster discovery of attacks and shorter times to containment. An impact study on business continuity management programs found that having an incident response team, extensive use of encryption and employee training were the top three drivers of cost savings in breach incidents, together accounting for 24% savings.22
Further mitigating risk, securing cyber insurance coverage can help buffer financial exposure and is on the rise. While cyber insurance is an evolving arena and exact comparisons are complex, companies armed with risk assessments (including third party providers), appropriate data stewardship practices, strong security and trained incident response teams are best poised to be able to secure cyber insurance at the most efficient rates possible.
Prevention, Preparation & Vigilance
No matter how good a company’s security is, cyber incidents are unavoidable. There is no perfect security, yet there is also no excuse for failing to embrace fundamental security principles. With the growing networks of connected devices, every organization – from startups to global enterprises – must be prepared for the inevitable attack and loss of (or loss of access to) critical data. It is imperative that all organizations recognize the risks, optimize readiness and make data security and privacy part of every employee’s responsibility from the boardroom to the mailroom.
OTA’s analysis of reported breaches through Q3 2016, revealed 91% were avoidable, consistent with previous year’s research. Of the reported breaches, 13% were due to lack of internal controls resulting in employees’ accidental or malicious events and 53% the result of actual hacks. Consistently for the past several years, more than 90% of incidents originate from a deceptive or malicious email. Similarly, analysis of data regarding enterprise ransomware incidents, which increased 35% in 2016, points to a lack of employee training and protection from spearphishing emails.23 Business Email Compromise (BEC) attacks also are generally preventable since they rely on spearphishing and social engineered tactics. Unfortunately the complexity of business operations, lack of blocking unauthenticated email and the sophistication of social engineered exploits overwhelm all too many organizations.
Key avoidable incident causes:
- Not patching known / public vulnerabilities
- Failure to block unauthenticated email
- Misconfigured devices / servers
- Unencrypted data and/or disclosed keys
- Use of end of life devices, operating systems and applications
- Employee errors and accidental disclosures – lost data, files, drives, devices, computers, improper disposal
- Business Email Compromise & social exploits
While organizations may be aware of the threat, they are not necessarily equipped to respond effectively. Businesses must acknowledge the chaos and disruption that can occur with any incident. Viewing breaches and incidents as a “technical issue” belonging to the IT department is a recipe for failure. Instead, organizations need to recognize that many departments play a part in readiness planning. Readiness starts with responsible data privacy and collection practices, and includes ongoing employee training and security assessment of vendors and connected devices.
Those that prepare in advance will not only be postured to survive an incident, but also are more likely to retain a positive reputation with their customers.
A key learning from past high-profile incidents is that organizations all too often ignore warnings from third parties and researchers. Organizations must have a process to analyze vulnerabilities reported to them. Failure to have a process can lead to reputation damage and potential lawsuits as seen with Snapchat in early 2014. Having a mechanism to review and respond to vulnerability reports is an essential part of an organization’s security strategy.24
Incident Readiness Checklist
See Appendix I for expanded recommendations (pg 51)
- Complete risk assessments for executive review, operational process and third party vendors (pg 11)
- Review security best practices and validate adoption or reasoning for not adopting (pg 14)
- Audit data management and stewardship programs including data life-cycle management (pg 17)
- Complete an audit of insurance needs including exclusions and pre-approval of third party coverage (pg 22)
- Establish an end-to-end incident response plan including empowering 24/7 first-responders (pg 24)
- Establish/confirm relationships with law enforcement and incident service providers (pg 25)
- Review and establish forensic capabilities, procedures and resources (internal and third-party providers) (pg 26)
- Review notification processes and plans (pg 29)
- Develop communication strategies and tactics tailored by audience (pg BO)
- Review remediation programs, alternatives and service providers (pg 31)
- Implement employee training for incident response (pg 32)
- Establish employee data security awareness. Provide education on privacy, incident avoidance (password practices, how to recognize social engineering, etc.) and incident response (pg 32)
- Understand the regulatory requirements, including relevant international requirements (pg 34)
What Have We Learned?
The increasing number, precision and impact of incidents are wake-up calls for all organizations, whether they are non-profits, governmental agencies, or start-ups and Fortune 500 companies. While credit card theft and identity theft is on the rise, their impacts can pale in comparison to mass data breaches, ruthless ransomware and crippling DDoS attacks. Reviewing leading incidents for the past two years highlights several important lessons:
- Protection involves not only data loss, but also incidents which interrupt business including ransomware attacks, network and system interruption and connected device takeover.
- Responsibility for incident protection and readiness is company-wide. There needs to be a critical shift in attitudes regarding responsibilities of data stewardship security and responsible privacy practices.
- Data is often a company’s most valuable asset. Identify what you have, where you have it, how you use it and the potential risks should it be inappropriately accessed, held hostage, released or erased.
- The level of data security you apply must be commensurate with the data held – the security in place should reflect the risk of damage to consumers and the company should that information be inappropriately accessed. Organizations should develop a data minimization strategy including a classification matrix that guides how various types of data should be protected, stored and discarded across an organization.
- Only collect and retain data that has a business purpose. Protect it while it’s held, and delete it when it’s no longer needed. Criminals cannot steal or hold hostage data you don’t have.
- Have an incident plan to reduce impacts of an attack. It’s dangerous to think you won’t be a target. Consumer, employee and corporate data are valuable commodities. When combined or appended with other breached data, they increase in value. Alternatively, freezing these assets can paralyze a business.
- Security and privacy are not absolutes and must evolve. Organizations need to regularly review how they store, manage and secure their data. A plan needs to include prevention, detection, notification, remediation and recovery processes and operations.
- Security is beyond your desktops, networks and walls. As more businesses rely on cloud services and third-party providers, companies must consider the expanded attack landscape. A risk assessment must be conducted prior to usage and on an ongoing annual basis. Supplier risk assessment must be done before a contract is signed and managed through the term of the contract. Management should require regular (weekly, monthly, quarterly or annual) reports from vendors specifying their internal data security processes, data removal methods, tools and technology implementation and documentation.
- Being prepared is not just for Boy Scouts. An incident plan needs to incorporate training to help prevent, detect, mitigate and respond. Just like first responders, employees must be trained, equipped and empowered to deal with a data loss incident. Planning is the key to maintaining trust and the vitality of the Internet, while helping to ensure business continuity. Developing key relationships ahead of time with attorneys, public relations, forensics, and identity protection firms is essential to maximizing the response effectiveness.
- Connected devices introduce new risk levels. The rapid adoption of connected devices from Smart TVs in the boardroom to coffee makers in the breakroom dramatically increase the threat landscape. Ongoing risk assessment of all loT devices and the development of an employee policy for connecting devices to the corporate network is critical since a single connected device can introduce threats network wide.25
- Build trust through transparency. Whether communicating with customers or board members, keeping important stakeholders informed early with regular updates is a critical part of maintaining trust.
Endnotes
1 Washington Post https://www.washingtonpost.com/news/early-lead/wp/2016/09/13/world-anti-doping-agency-confirms-russian-hack-of-rio-olympic-drug-testing-database/
2 Yahoo Data Breach http://searchsecurity.techtarget.com/news/450409941/Yahoo-breach-data-reveals-the-need-for-ethical-breach-reporting
3 NYT http://www.nytimes.com/2016/08/11/us/politics/democratic-party-russia-hack-cyberattack.html?_r=0
4 Risk Based Security 2016 Year End Breach Report https://pages.riskbasedsecurity.com/2016-ye-breach-quickview
5 FBI BEC data https://www.ic3.gov/media/2016/160614.aspx
6 Symantec 2016 Ransomware Report http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf
7 NBC News Ransomware Growth http://www.nbcnews.com/tech/security/ransomware-now-billion-dollar-year-crime-growing-n704646
8 Malwarebytes ransomware rise https://www.theguardian.com/technology/2016/aug/03/ransomware-threat-on-the-rise-as-40-of-businesses-attacked
9 Verisign DDoS Trends Report https://www.verisign.com/assets/report-ddos-trends-Q32016.pdf
10 Includes data breach incidents from Risk-Based Security 3Q2016 report, BEC incidents from the FBI and ransomware incidents from the Symantec 2016 Ransomware report.
12 Malvertising https://otalliance.org/initiatives/malvertising
13 Cybercrime targeting manufacturing http://www.natlawreview.com/article/case-study-how-regional-manufacturing-firms-are-increasingly-targets-cybercrime
14 Cisco / IronPort bogus security updates https://tools.cisco.com/security/center/viewAlert.x?alertId=20315
15 Fake Warnings http://www.techrepublic.com/blog/it-security/fake-security-messages-more-believable-than-real-warnings-research-shows/
16 FCC broadband privacy rules https://www.fcc.gov/document/fcc-adopts-broadband-consumer-privacy-rules
17 EU Data Protection Directive http://www.nytimes.com/2015/12/16/technology/eu-data-privacy.html
18 IBM-Ponemon Cost of a Breach 2016 http://www-03.ibm.com/security/data-breach/
19 The Atlantic http://www.theatlantic.com/business/archive/2016/09/ransomware-us/498602/
20 Reuters http://www.reuters.com/article/us-at-t-settlement-dataprotection-idUSKBN0MZ1XX20150408
21 CBS News http://www.cnbc.com/2016/08/05/why-2016-could-be-banner-year-for-health-care-data-breach-fines.html
22 2016 Ponemon Business Continuity Impact http://www-935.ibm.com/services/us/en/it-services/business-continuity/impact-of-business-continuity-management/
23Enterprise focused ransomware http://www.eweek.com/security/nine-ways-to-protect-an-enterprise-against-ransomware.html
24 NTIA Vulnerability Reporting Initiative https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-cybersecurity-vulnerabilities
25 See OTA IoT Trust Vision White Paper and IoT Trust Framework https://otalliance.org/Vision