Organizations of all types need to prepare for breaches of their computer networks. No one is immune. That is the message in a report from law firm BakerHostetler on data security incidents in 2015.
The firm’s Privacy and Data Protection team examined more than 300 data security incidents on which the firm provided legal advice in 2015. The 2014 study found that human error was the leading cause of these incidents. The 2015 study found something different – almost one-third of all incidents were caused by phishing, hacking and malware.
In a phishing attack, the perpetrator attempts to obtain sensitive information (passwords, credit card information, etc.) by pretending in an email or other electronic communication to be a trustworthy entity. A fake email message with a bank’s logo in it is an example of a phishing attack. In a hacking, the perpetrator seeks out and exploits weaknesses in the network’s security to gain unauthorized access. Malware is software used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising.
The study found that 31 percent of incidents were caused by these three types of attacks. This implies that organizations can better protect themselves by training employees on how to recognize phony messages; beefing up network security systems; and limiting the ability of employees to download and install software.
Other causes of incidents included employee mistakes, external theft, outside vendors, internal theft, and lost or improperly disposed of equipment.
The top target industries were health care, financial services and education. These three combined to account for more than half of all incidents, but no industries were safe from cyber incidents.
When a data security incident occurs, the organization may need to notify affected individuals, damaging the firms’ reputations and finances. The study showed that, where notification was required, organizations had to notify an average of 269,000 people. Half of all notifications were to more than 190,000 people. Still, 40 percent of the incidents did not require public notification.
While more than half of all incidents were self-detected by the victims, the average time it took to detect them was more than two months. Health care organizations took almost twice as long as others. Once detected, containment of the incidents took an average of a week.
Almost one quarter of the incidents produced inquiries from regulators. Legal action was taken after six percent of them were disclosed to the public.
The report shows that all organizations should prepare for data security incidents. While striving to prevent them from happening, organizations should plan for the day that they happen. That means taking steps to detect and contain the attacks as quickly as possible. Arrangements should be made in advance with a computer forensics firm to help fight off the attack. Also, purchasing insurance to cover costs like legal defense and settlements, notification, and answering regulators’ inquiries is a good idea.
Data security incidents are inevitable. Organizations that prepare for them will survive and minimize the damage.