Possibly as many as 82,000 cyber incidents a day negatively impacted organizations around the world in 2016, says an industry group that looked at threat intelligence from a number of sources.
And the Online Trust Alliance, which released the estimate Wednesday as part of its annual Breach Readiness Guide, says that because most incidents aren’t reported to regulators or law enforcement agencies the number could be as much as 250,000.
An “incident” includes breaches, ransomware, distributed denial of service (DDoS) attacks and takover of infrastructure.
As many of 91 per cent of reported breached were avoidable, adds the report – as the alliance reported in 2015 – 13 per cent were due to lack of internal controls resulting in employees’ accidental or malicious events and 53 per cent the result of actual hacks. Consistently for the past several years, more than 90 per cent of incidents originate from a deceptive or malicious email. The leap in enterprise ransomware incidents, which increased 35 per cent in 2016, “points to a lack of employee training and protection from spearphishing emails,” says the report.
In one sense the confirmed or estimated numbers don’t matter because of the almost daily global reports last year of breaches big and small – 1 billion records exposed in the 2013 Yahoo breach only now coming to light, the breach at a U.S. political party, the loss of some 45 million records from Toronto-based automotive forum site VerticalScope – tells the story.
Either way – through the mountain of news reports or an attempt at reaching a respectable estimate – the situation isn’t getting better.
What the impact is isn’t clear. So far, online business continues to grow. Still, the alliance quotes an Internet Society study that online trust is at an all-time low with 59 per cent of users reporting they would likely not do business with a company that had suffered a data breach.
“These metrics illustrate the need for all stakeholders, including industry, policy makers and governments, to take decisive action,” says the alliance report. “The recurring incidents have an additive, long-term effect on society not unlike global warming and carbon emissions. We are facing the tragedy of the trust commons which, left unaddressed, can and will have significant impact to future generations.”
That’s why of the alliance’s 10 tenants of cyber incidents, one is that organizations must make security a priority; those that fail to adopt sound practices will be held accountable.
Others are that organizations need to look beyond the impact and cost of a “traditional data breach” to the life safety and physical impact of an incident, damage to an organization’s reputation and risks to users; and that business incentives are needed to accelerate “security by design” along with the need for annual security assessments of sites, applications services and devices.
The alliance report adds that 11 lessons have been learned after examining major incidents in 2015/2016. Some include:
— Protection involves not only data loss, but also incidents which interrupt business;
— Responsibility for incident protection and readiness is company-wide;
— Only collect and retain data that has a business purpose;
–Security and privacy are not absolutes and must evolve;
— An incident plan needs to incorporate training to help prevent, detect, mitigate and respond.
– Build trust through transparency. Whether communicating with customers or board members, keeping important stakeholders informed early with regular updates is a critical part of maintaining trust.
Much of the 50-page guide includes helpful information and worksheets – handy for small and medium businesses who aren’t sure their cyber security is up to snuff — including questions to be answered for boards, an outline of risk assessment, a list of security best practices, advice on data management and governance, considerations for buying cyber insurance, fundamentals of incident response and recommendations on how to increase employee security awareness.
Alliance board members include VeriSign, ThreatWave, DigiCert and Symantec.