In BakerHostetler’s 2018 Data Security Incident Report, “Building Cyber Resilience: Compromise Response Intelligence in Action,” we identify and analyze the most important trends and takeaways from the more than 560 incidents we handled last year. These incidents affected nearly every industry and impacted anywhere from a single individual to millions of people.
Our report distills the lessons learned from those incidents into eight key takeaways for boards, senior management, auditors, IT leaders, and general counsel. Diving a little deeper into the report’s key findings:
- MFA is the gold standard. Much like encryption of external devices several years ago, multifactor authentication (MFA) has become an essential security measure and is increasingly becoming a regulatory expectation. However, MFA is not infallible and not all MFA solutions are equally secure.
Deeper Dive: Many of the attacks we saw began with attackers using compromised credentials to remotely access a network or cloud application. Often the credentials were obtained through phishing. Entities that had not considered implementing MFA or thought its users would find it too inconvenient were suddenly in the position of having to implement MFA to stop further access. After implementation, the entities were often surprised at the absence of user frustration or complaints at having to use MFA.
There are different options for how MFA is enabled, and depending on workforce scenarios entities may need to use multiple options. When evaluating options, give extra scrutiny to options that send the second factor to the user in the body of an email. If an attacker has already compromised a user’s device, the attacker may be able to circumvent the MFA solution by getting the code from the user’s inbox. And although there is not a universally applicable law mandating use of MFA, regulators across all industries are seeing incidents that would have been prevented if MFA had been enabled and when you combine that reality with the knowledge that enabling MFA is easier now than before, if it has not already, MFA is quickly becoming a baseline expectation
- It’s not the cloud, it’s you. As entities migrate to the cloud, most security issues are not caused by the cloud service provider, but by how the entity or its service provider configures access to the cloud.
Deeper Dive: In 2017, we started tracking as a separate incident type scenario where a security researcher identified a cloud instance that had permissions set to “public” that contained personal information about customers or sensitive corporate information. As organizations have flocked to cloud solutions seeking better security and increased computing power, many have missed or misunderstood important guidance regarding setting access controls and permissions. While most storage solutions initially default to private settings, as organizations have customized these controls to enable a wide variety of uses mistakes have been made, resulting in the exposure of millions of private records to the public internet. Even where there is no actual evidence that an organization’s storage buckets were accessed by malicious actors, depending on how long they were exposed to the public internet and logging configuration, it may be difficult to show that there was no unauthorized access, which can make these incidents expensive, disruptive and embarrassing, and subject the entity to regulatory scrutiny.
- Rise of the regulator. Recent high-profile incidents have rekindled regulatory interest. Moreover, large multistate settlements have given state attorneys general the funds to hire experts and more aggressively investigate breaches.
Deeper Dive: 2017’s high-profile breaches, coupled with a lack of clear guidance from or demonstrated action by federal privacy regulators, have energized state attorneys general. An increasing number of states now regularly issue requests for additional information from compromised entities, even those who have suffered smaller, seemingly unremarkable data breach incidents. Some regulators are starting to explore the boundaries of their investigatory authority. Some are also hiring security and forensic investigators as consultants to review evidence associated with reported data breaches. This trend is likely to create strategic questions for entities, many of whom use external legal counsel to engage a forensic firm, forcing them to evaluate requests for production of findings (that may be favorable or unfavorable) based on the impact to preserving attorney-client privilege and work product compared against cooperating with the regulator to work toward getting the investigation closed. As state attorneys general continue to review the notices their offices receive of data breaches, we expect they will develop enforcement priorities and hot buttons and begin to pursue enforcement actions accordingly. Given the federal political landscape, these developments at the state level bear watching closely.
- New year, same issues. Entities still are not executing on the basics. Endpoint monitoring agents, SIEM (Security Information and Event Management) solutions, and privileged account management tools have become more common, but good hygiene could have prevented many incidents.
Deeper Dive: Despite increased focus and growing expenditures on sophisticated technological safeguards intended to deter or quickly identify data incidents, the rate of breaches is not slowing down. The reason? Most often human error or carelessness. In 2017 we continued to witness a parade of “phishing incidents,” misconfigured security settings, delayed or missed system upgrades and patches. There is still plenty of room for improvement in employee training, attention to detail, and timely recognition of and response to potential incidents.
- Everyone’s involved. With incidents on the rise and the stakes higher than ever, senior management, boards, and external auditors are becoming involved in data breach prevention and response.
Deeper Dive: Every few years (or every year) there are notable security incidents that grab widespread attention and cause people to evaluate how their entity should address whatever new risk or issues those notable events highlight. These questions are not just being asked internally, they are coming from the boards and external auditors, too. Not only did these notable incidents lead to investigations by state attorneys general and class-action litigation, they also resulted in investigations by the Securities and Exchange Commission concerning the adequacy of disclosures and appropriateness of trading. In some cases, this led to the forced unplanned departures of senior executives and in-house lawyers. Such high-visibility corporate crises are driving external auditors to scrutinize the adequacy of incident response, and forcing boards to focus on data security and incident response planning.
- No one is “too small.” Any entity, of any size, may become the victim of a cyber-attack. Hackers are happy to hit “singles” and take advantage of the lax security practices of small and medium-sized entities, and attacker techniques and tools simplify the process of finding even obscure targets of opportunity.
Deeper Dive: Many organizations believe they are too small, too obscure, or too “run-of-the-mill” to be targeted by malicious cyber actors. Even larger, well-known businesses are often lulled into complacency, mistaking years without a major security incident as evidence that their business is an unlikely target. This reasoning misunderstands how easy it is for attackers to find and compromise vulnerable targets across the entire internet. While some victims are targeted for a specific purpose, especially by nation-state actors, many are not – more often, they are opportunistic victims or victims of collateral damage directed at others. Any organization can fall victim to phishing campaigns, watering-hole attacks, malvertising or mass internet scans. Understanding how attackers do – and don’t – target victims is critical to proper network defense, and to accurately assessing an organization’s risk scenarios.
- GDPR countdown drives uncertainty. With the May 25 effective date looming, organizations have been racing the clock to get their privacy, data security and incident response practices in order. Expect adjustments to continue as the regulation is implemented.
Deeper Dive: The EU General Data Protection Regulation takes effect soon. With it will come significant, even dramatic, changes in the ways U.S.-based companies that control or process EU personal data are permitted or required to collect, process, share, transfer or delete that data. In the event of a data breach involving EU personal data, the changes are particularly stark: the definition of “personal” data under the GDPR differs significantly from the “PII” U.S. companies have come to know; and EU “personal data breaches” may include events such as temporary outages, DDoS attacks and ransomware, in addition to incidents involving unauthorized access to personal data. Notably, GDPR requires subject organizations to report such a “personal data breach” to data protection authorities within 72 hours, a far cry from the 30-60 days generally required or expected in the U.S., and the timing of that disclosure will likely drive the affected entity’s U.S. regulatory and customer disclosures to some extent. For multinational entities holding EU data, the coming year is likely to be a bumpy ride.
- Reading the litigation tea leaves is an inexact science. The line determining cognizable damages continues to blur. In addition, recent cases show that privilege may not apply to all incident-related communications, and that some entities choose to waive privilege.
Deeper Dive: Recent judicial decisions on post-breach cases have been nothing if not inconsistent. This past year’s rulings on standing and cognizable damages suggest at least a “micro-trend” in which plaintiffs’ generalized damages claims related to breaches tend to survive motions to dismiss and are permitted to proceed to discovery. Courts are also closely scrutinizing blanket claims of privilege protecting forensic investigations and communications among incident response teams during a data breach. In light of these developments, organizations and their counsel must be vigilant during incident response to anticipate and address privilege issues, and to consider the creation of non-privileged reports and communications which can be produced in the event of future litigation.