There may have been as many as 160,000 breaches of security controls, data thefts or disruption of business operations last year around the world, most of which could have been easily prevented. an industry group estimates.
These were among the findings of the 10th annual cyber incident and breach trends report of the Online Trust Alliance, now part of the Internet Society, which was released this morning. The OTA helps educate businesses, policy makers and stakeholders while advancing best practices and tools to enhance the protection of users’ security, privacy and identity.
The calculation of the number of cyber incidents comes from analyzing data collected from a number of security vendors and the FBI. The report notes these are reported incidents. “Since most incidents are not reported to executives, law enforcement, regulators or the public, the actual number of harmful incidents could easily exceed 350,000,” it adds.
The number of reported incidents was almost twice as many as in 2016, say the authors. “This increase is primarily due to the significant growth in ransomware infections during 2017. ”
As in previous years, OTA analyzed reported breaches through Q3 2017 and found that 93 per cent were avoidable, which is consistent with previous years’ findings. Of the reported breaches, 52 per cent were the result of actual hacks, while 11 per cent were due to lack of internal controls resulting in employees’ accidental or malicious events, says the report.
“Regular patching has always been a best practice and neglecting it is a known cause of most breaches, but this category received special attention this year in light of the Equifax breach. The vast majority of other types of attacks – ransomware and BEC (business email compromise) – are initiated by deceptive or malicious emails. Analysis reveals that these, too, are avoidable, by blocking fake messages and training users to recognize spearphishing attacks. In addition to better processing of email, there are several other steps that can prevent or limit the impact of ransomware, which include updated system and security software as well as regular data backups.
“Since BEC attacks rely almost entirely on social deception and rarely include any malicious links or attachments, better processing of email can generally stop these attacks in their tracks. Unfortunately, the day-to-day urgency of business often prevents organizations from appropriately defending against these email-based attacks.”
Interestingly, the report takes no side on whether organizations should pay a ransom to retrieve data. Some may have to shell out in certain circumstances, it says, so the report recommends organizations set up a bitcoin wallet just in case.
Because organizations are shifting more workloads to the cloud — and many breaches involved cloud providers — it urges them to follow best practices, such as auditing a provider’s procedures. And keeping in mind the many breaches of Amazon S3 storage containers it calls for “increased vigilance and understanding of all aspects of cloud-based
services to properly secure data stored there.”
As for preventing corporately-owned IoT devices from being leveraged for distributing malware or denial of service attacks, the report says firms should thoroughly vet IoT products for security, put them on a separate network and monitor the use of “non-IT” devices such as smart TVs.
The report lists 10 readiness principles — one is “Security and privacy are not absolutes and must evolve” — and an incident readiness checklist.