Data-driven insights help prevent decisions based on fear
Organizations have strengthened security measures and become more resilient, but threat actors are still finding ways through, according to BakerHostetler.
“We launched the Data Security Incident Response Report nine years ago because we recognized that organizations were making data-driven decisions about other areas of risk and compliance and that there was no source for that purpose for data security,” said Theodore J. Kobus III, chair of BakerHostetler’s Digital Assets and Data Management Practice Group.
“The statistics and insights in the report are intended to help organizations with benchmarking and projections so they do not have to make decisions based on hype and fear. As organizations implement stronger security measures to adapt to the changing risk landscape, we see threat actors adapting their methods accordingly. The need for vigilance remains ever present. We also recognized that data and technology issues require an enterprise approach. So, over the years we added capabilities to serve our clients across the life cycle of data technology. Our Digital Assets and Data Management Practice Group now has more than 100 dedicated attorneys and technologists,” Kobus continued.
Ransomware is back in full force
A reduction in ransomware matters in 2022 reversed course by the end of the year. The surge is continuing in 2023.
- Average ransom demanded was $3,713,939. Six of eight industries tracked in the report showed an increase in the average ransom demanded.
- Average ransom paid (for all industries) increased 15% in 2022 to $600,688. The health care industry saw the largest increase in average ransom paid ($1,562,141, up 78% from 2021).
- Recovery times associated with ransomware incidents increased significantly overall and in almost every industry tracked.
- Industries with a substantial increase in average recovery time included retail, restaurant and hospitality (91%), health care (69%), and energy and technology (54%).
Improvement in forensics data
There has been improvement in key incident response metrics over the past several years, according to report data. In network intrusion matters, dwell time dropped from 66 days to 39 days; average time to containment is down to three days from four; and investigations on average are taking 36 days to complete, down from 41.
Threat actors find new ways around security measures
Many organizations have implemented stronger security and resiliency measures such as MFA, endpoint detection and response tools, immutable backups, and third-party security operation centers to monitor host and network activity in real time — to combat the most common methods used by cybercriminals.
However, threat actors have proven adaptable and resourceful at finding new ways to attack systems.
Tactics observed in 2022 include the following:
- MFA bombing: Where, after obtaining an account’s username and password, the threat actor repeatedly sends authentication notices until the user wears down and approves the request — thus allowing the threat actor access.
- EDR-evading malware: Threat actors evade EDR tools using polymorphic malware. In other instances, EDR tools are not deployed across all key assets, thus leaving systems vulnerable to threat actors.
- Social engineering: Threat actors impersonate a company’s customer, IT team member or other trusted source in a conversation with an employee of the company. Over multiple conversations, sometimes lasting months, the threat actor eventually gains the trust of the employee, who through some action permits the threat actor to gain access to the system.
- Search engine optimization poisoning: Threat actors create fraudulent websites mimicking real ones. They then use SEO to have the site show up higher in web searches. Customers mistakenly use the fraudulent site and enter their credentials, which are stolen and used by the threat actors.
Lawsuits proliferate
Litigation is a significant risk for companies that collect data and manage digital assets. A now five-year trend was observed — a greater percentage of incidents in which an organization provided notice to individuals that resulted in the filing of at least one lawsuit (from four out of 394 in 2018 to 42 out of 494 in 2022).
Another multiyear trend is that lawsuits are being filed over small incidents. In 2022, four lawsuits were filed in incidents where fewer than 1,000 individuals were notified. Incidents where fewer than 100,000 individuals (but more than 1,000) were notified resulted in 14 lawsuits.
The report includes in-depth analysis of privacy statute litigation, including lawsuits involving the California Invasion of Privacy Act, the Video Privacy Protection Act, Right of Publicity Statutes, the Illinois Biometric Information Privacy Act and the Health Insurance Portability and Accountability Act, as well as a wave of litigation based on website tracking technology.
“Securing an enterprise is a significant challenge — there are a lot of risks and just spending more money does not automatically equate to more effective security,” said Craig Hoffman, co-leader of BakerHostetler’s national Digital Risk Advisory and Cybersecurity team.
“We see a lot of incidents, including what allowed them to occur and what was done to address the issue. Because enterprises do not have unlimited budgets and staff to implement and maintain new solutions, being able to share objective data about security incidents — from causes to fixes to consequences — helps clients decide where to prioritize their efforts,” Hoffman concluded.