Building Trust

Internet Society’s Online Trust Alliance 2018 Cyber Incidents & Breach Trends Report

On Tuesday July 9, 2019 the Internet Society’s Online Trust Alliance (OTA) released its 11th Cyber Incident & Breach Trends report, which provides an overview of cyber incidents – and offers steps organizations can take to prevent and mitigate the potential damage. This year’s report found a shifting landscape of cyber incidents. As the growth of some attack types levels off, others increase.

Adding it all up, OTA estimates that there were more than 2 million cyber incidents in 2018, and it is likely that even this number significantly underestimates the actual problem. OTA estimates an overall financial impact of at least $45 billion worldwide. The lead categories of attacks are cryptojacking (1.3 million) and ransomware (500,000), followed by breaches (60,000), supply chain (at least 60,000 infected websites), and Business Email Compromise (20,000).

There are many organizations that track data breaches overall. For example, Risk Based Security Reported the highest number at 6,515 breaches and 5 billion exposed records, both down from 2017. These estimates vary depending on their methodologies – see our full report for all of the breach estimates and our methodology.

One well-established attack type, ransomware, saw a decline in 2018. However, the total dollar value of these attacks continues to grow. Another well-known attack is Distributed Denial of Service (DDoS). Examples of successful DDoS attacks in 2018 range from banking (ABN AMRO) to education (Infinite Campus) to email services (ProtonMail) to software services (GitHub).

Business Email Compromise, where employees are deceived into sending funds to attackers posing as employees of a firm, also grew. The FBI’s 2018 Internet Crime Report reported more than 20,000 incidents in the U.S., resulting in nearly $1.3 billion in losses (an increase from approximately 16,000 incidents and $677 million in losses in 2017).

New to this year’s report is cryptojacking, which saw a marked increase in 2018. Trend Micro detected more than 1.3 million instances of cryptojacking code in 2018, a greater than three-fold increase from 2017. Supply chain attacks, also new to the report, grew as well. Symantec’s Internet Security Threat Report reported a 78% growth in supply chain attacks.

Other attack categories are based on the shifting infrastructure of the Internet. Many businesses rely on cloud services for some or all of their operations and as a result have become a target for attacks. One estimate by research firm Digital Shadows found that in 2018 there were 1.5 billion files exposed around the world solely due to misconfigurations in cloud services.

IoT devices are increasingly becoming tools to carry out various types of attacks, from DDoS to cryptojacking. Kaspersky Labs reported that in the first half of 2018 they saw a three-fold increase in the number of malware variations used to attack IoT devices.

But the report offers advice on how organizations can better prevent and mitigate cyber incidents. Organizations can use the OTA IoT Trust Framework to help make the entire IoT ecosystem safer. They can also follow the recommendations in the Cyber Incident & Breach Trends report.

While the landscape of cyber incidents is both vast and shifting – and may include new attack types – the guidance offered in the report remains largely unchanged. Organizations must remain vigilant and assume that at some point they will have to deal with a cyber incident. Following the recommendations in the Cyber Incident & Breach Trends report is a good first step.

Building Trust

Will Uber Drive Us to Federal Breach Legislation ?

The past six months we have witnessed an un-paralleled level of questionable business practices resulting from data breaches.  As trusted brands, Uber as well as Equifax and others, who have been entrusted with significant amounts of personal data have failed the American public.  The breach missteps and follies only continue.  Each time most within the security and privacy communities have rolled our eyes in disbelieve.

While it is important we do not victimize the victims, and acknowledge there is no perfect defense.  At the same time it is equally as important for organizations to be prepared for an incident and be transparent on how they respond.  Every organization has an implied and legal responsibility to apply best practices to help prevent incidents, detect events and be prepared to respond and remediate the impact.  Judging by these past incidents the concept of data stewardship and accountability has gone by the way side.  All too often these organizations are caught flatfooted, or attempt to hide the incident for a range of what appears as self-serving reasons.  Perhaps they have recognized the current regulatory landscape has little meaningful ramifications or that they will not be held personally accountable. Self-regulation appears to be failing and the existing regulatory construct does not appear to be a deterrent or taken seriously by executives and their boards.  In the case of Yahoo and Equifax, the CEO’s walk away with millions of dollars while the impacted consumers are left on their own.

With each major breach event I have hoped it would be a watershed moment, becoming a catalyst for change. Today US companies are faced with a complex mosaic of 48 State breach laws, plus several sectorial regulations.  While nearly everyone complains about the challenge to navigate this maze of regulations, no progress to develop a national breach regulation has occurred.  Ironically, generally there is rough consensus on several key requirements defining; 1) reasonable baseline security, 2) personal or covered information, 3) notification triggers and requirements and 4) remedies.  Having personally worked on over a dozen such draft bills, I have been disappointed how partisan efforts and trade groups have driven these efforts off the road, ignoring the impact on consumers.

I am hopeful this time it will be different. The allegations against Equifax and Uber have ratcheted the issue to new heights.  On May 26, 2018 the EU Data Protection Directive (GDPR) will be enforceable.  While many companies will be prepared, the vast majority will not be, nor do they recognize the risks.  Technically they only need a single resident of the EU for regulations to kick in.  GDPR requires regulators to be notified within 72 hours of learning of an incident, while US companies has shown disregard and taking in some cases 6 to 12 months.  The US is by and large sadly behind the rest of the world recognizing privacy rights and data breach reporting requirements. 

Last week the Senate Commerce Committee ranking chair Senator Bill Johnson (FL-D), proposed legislation making it a criminal act to not disclose such data. This has the potential to wake up the C-suite.  As we look forward to new legislation, I propose legislation be modeled after CAN-SPAM the “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003). Enacted in 2004, CAN-SPAM is a single Federal Law, pre-empting individual State Laws, permitting State right of enforcement.  Primary enforcement would be left to the Federal Trade Commission and State Attorney Generals could join in actions or file on their own.  Similarly, there needs to be a penalty, not relying on harms or damages be proven. We need to take the best from leading States such as California, New York, Massachusetts and others.  As a benefit to industry such legislation should also provide safe-harbor from Federal and State laws as well as the threat of class-action suits to companies who have employed reasonable security and are in full-regulatory compliance.  

At the end of the day both consumers and business will benefit from federal breach legislation. Having a consistent set of rules and regulations will raise the bar of breach prevention and readiness, saves tens if not hundreds of thousands of dollars in legal costs, while most importantly enhancing consumer protection and expediting timely notifications.

Who knows, perhaps in the long run we might be able to “thank” Uber for driving us to this destination.

Craig Spiezle

Managing Director, Agelight Advisory Group
Chairman Emeritus, Online Trust Alliance
Follow Craig on Twitter @craigspi

Note The views expressed in this op-ed do not necessarily reflect those of the Internet Society.