2017 Cyber Incident & Breach Trends Report: Patching Is Critical

The Online Trust Alliance just published its 10th annual Cyber Incident & Breach Trends Report, a review and analysis of cyber incidents, trends, and issues critical to organizations looking to improve data protection and threat defense.

The report covers many of the high-profile data breaches of 2017 and highlights the financial impact of these major threats, estimating that the average cost of a data breach incident worldwide was $3.62 million with the average cost in the US at $7.35 million.

One of the key avoidable causes of data breaches and security threats identified in the report was lack of prompt patching of public/known vulnerabilities and not having a way to process vulnerability reports.

The report uses the Equifax breach as an example of unnecessary exposure due to lack of patching and states “many other incidents such as WannaCry and Petya also spread quickly due to inadequately patched systems. Verizon’s 2017 DBIR analysis showed that only 61% of organizations complete their patching process and patches not completed after 12 weeks tended to go unpatched. With the revelation of the KRACK Wi-Fi and BlueBorne vulnerabilities in late 2017 and the Spectre and Meltdown chipset vulnerabilities in January of 2018, the need to patch has reached a fever pitch. Regular patching has long been a best practice, but due to this “perfect storm” it deserves extra attention this year.”

“Regular patching has always been a best practice and neglecting it is a known cause of many breaches, but this received special attention in 2017 in light of the Equifax breach,” said Jeff Wilbur, director of the OTA initiative at the Internet Society. “In 2018 we expect patches to play an even more integral role due to the recently discovered Spectre and Meltdown vulnerabilities where nearly every computer chip manufactured in the last 20 years was found to contain fundamental security flaws.”

In addition to summarizing the top 2017 security trends to address, the report outlines ten key ways organizations can better defend themselves against security threats and data attacks:

  1. Responsibility for incident protection and readiness is organization-wide. Data stewardship, security and associated privacy are the responsibility of the board, executives, all employees and all departments (not just IT).
  2. Data is an organization’s most valuable asset. Identify what you have, where it is, why and how you use it and the potential risks should it be inappropriately accessed, held hostage, released or erased.
  3. Only collect and retain data that has a purpose for as long as needed. Secure it while it’s held; delete it when its no longer needed. Criminals cannot steal or hold hostage data you don’t have, and such minimization may be a regulatory requirement for your organization.
  4. The level of data security you apply must be commensurate with the data held. The security in place should reflect the risk of damage to consumers and the company should that information be inappropriately accessed. Organizations should be protected, stored, and discarded across an organization.
  5. Protection involves not only the specific incident (data loss, ransom paid), but also the costs of business interruption. Including locked data, network and system interruption and connected device takeover.
  6. Have a plan to reduce the impact of an attack. An incident plan needs to incorporate training to help prevent, detect, mitigate and respond. Just like first responders, employees must be regularly trained, equipped, and empowered to deal with a data loss incident. Planning is the key to maintaining trust and business vitality while helping to ensure business continuity. Developing key relationships ahead of time with attorneys, public relations, forensics, and identity protection firms is essential to maximizing the response effectiveness.
  7. Security and privacy are not absolutes and must evolve. Organizations need to regularly review their procedures for collection, storage, management and security of all data (along with review of changing technologies, best practices, and regulations).
  8. Security is beyond the organization’s desktops, networks, and walls. Cloud services, third-party processors, and external business partners expand the attack landscape. Conduct a risk assessment prior to partnerships or service agreements and periodically reassess. Require regular (weekly, monthly, quarterly, or annual) reports from vendors specifying their internal data security processes, data removal methods, tools and technology implementation, and documentation.
  9. Connected devices introduce new risk levels. The rapid adoption of connected devices from Smart TV’s in the boardroom to coffee makers in the breakroom to employees’ personal mobile devices and wearables connected to the office wi-fi dramatically increase the threat landscape. Ongoing risk assessment of all IoT devices and the development and enforcement of an employee policy for connecting devices to the corporate network is critical since a single connected device can introduce threats network wide.
  10. Build trust through transparency. In the event of an incident, keep communication clear. Whether communicating with customers of board members, keeping important stakeholders informed early with regular updates is a critical part of maintaining trust.

The full report can be downloaded here.

The Internet Society is a non-profit organization dedicated to ensuring the open development, evolution and use of the Internet. Working through a global community of chapters and members, the Internet Society collaborates with a broad range of groups to promote the technologies that keep the Internet safe and secure, and advocates for policies that enable universal access. The Internet Society is also the organizational home of the Internet Engineering Task Force (IETF).

The Online Trust Alliance is an initiative within the Internet Society, whose mission is to enhance online trust, user empowerment and innovation through convening multi-stakeholder initiatives, developing and promoting best practices, ethical privacy practices, and data stewardship.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.