Insights from Over 560 Incidents in 2017 Report | GBAF | GBAF

Insights from Over 560 Incidents in 2017 Report | GBAF | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Top Stories > BAKERHOSTETLER DATA SECURITY INCIDENT RESPONSE REPORT DEMONSTRATES NEED FOR CYBER RESILIENCE AND LEVERAGING COMPROMISE RESPONSE INTELLIGENCE

BAKERHOSTETLER DATA SECURITY INCIDENT RESPONSE REPORT DEMONSTRATES NEED FOR CYBER RESILIENCE AND LEVERAGING COMPROMISE RESPONSE INTELLIGENCE

Published by Gbaf News

Posted on March 29, 2018

12 min read

Last updated: January 21, 2026

Spanish hostage Gilbert Navarro arriving at Algerian air base after release - Global Banking & Finance Review — This image depicts the arrival of Spanish hostage Gilbert Navarro at Boufarik air base in Algeria after his release by Tuareg rebels, highlighting a significant moment in international hostage negotiations.

Fourth annual report provides insights and trends drawn from analysis of more than 560 incidents managed by the firm’s privacy and data protection team in 2017

Many entities face the same types of security incidents – some are viewed as handling the incident well, and for some it’s a disruptive and costly lesson. The ones that fare better have prepared for an incident and use lessons-learned from prior incidents. Recognizing that entities need a source of reliable information on what actually happens during an incident, the BakerHostetlerPrivacy and Data Protection team published the 2018 edition of its Data Security Incident Response Report. The 2018 Report contains statistics and insights based on more than 560 data security incidents managed by the firm in 2017. The Report provides practical measures entities can use to prioritize risk management goals and be better prepared to respond to an incident when it happens. The Report calls this using Compromise Response Intelligence to be Compromise Ready.

“Compromise Response Intelligence should be used by entities to prioritize and gain executive support for security spending, educate key stakeholders, fine-tune incident response plans, work more efficiently with forensic firms, assess and reduce risk, build scenarios for tabletop exercises and determine cyber liability insurance needs,” said Theodore J. Kobus III, leader of BakerHostetler’s privacy and data protection practice.

As noted in previous years, the Report emphasizes that entities need to be “Compromise Ready” by setting up defenses to lessen the number of incidents and having systems in place to respond – being cyber resilient – in order to reduce the risk of attacks and lessen their severity when they do occur.

“The stakes are higher than ever, but some entities still are not executing on the basics. Many have made great strides in their cybersecurity planning, but as threats evolve and entities change, they must also keep their security protocols current. It takes an ‘all-in’ approach from boards to senior management to entry level employees for best-in-class breach prevention and response planning,” Kobus noted.

Incident Causes

The Report shows that phishing remained the leading cause of incidents at 34 percent, followed by network intrusions at 19 percent, inadvertent disclosure (such as an employee mistake) at 17 percent and stolen or lost devices/records at 11 percent. A new category this year is system misconfiguration, which reflects instances where unauthorized individuals gain access to data stored in the cloud because permissions were set to “public” instead of “private,” and was responsible for six percent of incidents.

“Contrary to what some might expect, cloud security issues are not occurring because the cloud service providers are being compromised, but rather because of how the entity itself or its service provider configured access to the cloud instance,” added Kobus.

Increased Regulatory Scrutiny

Entities also need to be aware that regulators have become aggressive in investigating breaches, with upticks in not only the number of inquiries by regulators (i.e. 64 by state attorneys general and 43 non-AG investigations in 2017 compared to 37 state AGs and 29 non-AG investigations in 2016), but also in the speed by which they are being made. And when the General Data Protection Regulation (GDPR) and its quick notification and onerous financial consequences for non-compliance become effective on May 25, 2018 for entities established in the EU, the regulatory landscape will be even more challenging.

Response Timeline

One of the most important features of the Report is the incident response timeline, which identifies the four key time frames of the incident response lifecycle – detection, containment, analysis, and notification. This timeline gives entities context for understanding the timing of when they will have reliable information to facilitate communication about the incident.

Overall incident response times for 2017 were 66 days from occurrence to discovery (an increase of five days from 2016), three days from discovery to containment (an improvement of five days from 2016), 36 days from engagement of forensics team to investigation complete (four days faster than the previous year), and 38 days from discovery to notification (three days better than 2016).

Forensics Drives Key Decisions

In the data breach incidents analyzed in the Report, 41.5 percent employed the use of outside forensic investigators. The average cost of a forensic investigation was $84,417 in 2017 compared with an average cost of $62,290 in 2016. “The ability to quickly and efficiently conduct a forensic investigation is critical to helping answer essential questions about the incident, including: What happened? How did it happen? How do we contain it? Who do we need to inform? How can we protect affected individuals?” noted Kobus.

Other interesting trends/numbers from this year’s analysis include:

Ransomware was involved in 18 percent of the phishing incidents and 38 percent of the network intrusion incidents.
Size doesn’t matter regarding the likelihood of being breached. In the incidents covered by the Report there was a fairly even number of incidents by entities with revenues between $10 million and $100 million, $100 million and $500 million, $500 million and $1 billion, and $1 billion and $5 billion – with mere percentage points separating those categories.
Detection. 65 percent of breaches that the firm worked on were detected internally.
What data is at risk? Incidents included in the 2017 survey involved the following types of data – Social Security numbers (46 percent), healthcare information (39 percent), all other confidential information, such as student ID numbers, usernames and passwords – (26 percent), birth dates (24 percent), financial data (15 percent), payment card industry data (12 percent), and driver’s license information (10 percent).
Notifications v. Lawsuits. Out of the 560 total incidents in the Report, 350 required notifications to individuals affected, and 10 resulted in lawsuits filed.
Average size of notification and industry most affected. While the average number of individuals notified per incident was 87,952, the hospitality industry again had the highest average number of notifications per incident at 627,723.
Data breach litigation is surviving motions to dismiss and proceeding to discovery, where plaintiffs seek breach investigation records and challenge defendants’ assertions that the investigations are protected by various legal privileges.

Compromise Response Intelligence

The Report provides a list of recommendations that entities can follow in order to help mitigate the opportunity for breaches to happen as well as to help lessen the severity of data breach incidents when they occur. The list, which includes suggestions from previous years that still hold true, has been updated to address issues/matters that have recently become prevalent. Some of the new headings address keeping data in the cloud, the increase in regulatory scrutiny, the need for entities to adopt multifactor authentication, and implementing a robust risk management program that incorporates complete buy-in from all levels of an organization.

Fourth annual report provides insights and trends drawn from analysis of more than 560 incidents managed by the firm’s privacy and data protection team in 2017

Many entities face the same types of security incidents – some are viewed as handling the incident well, and for some it’s a disruptive and costly lesson. The ones that fare better have prepared for an incident and use lessons-learned from prior incidents. Recognizing that entities need a source of reliable information on what actually happens during an incident, the BakerHostetlerPrivacy and Data Protection team published the 2018 edition of its Data Security Incident Response Report. The 2018 Report contains statistics and insights based on more than 560 data security incidents managed by the firm in 2017. The Report provides practical measures entities can use to prioritize risk management goals and be better prepared to respond to an incident when it happens. The Report calls this using Compromise Response Intelligence to be Compromise Ready.

“Compromise Response Intelligence should be used by entities to prioritize and gain executive support for security spending, educate key stakeholders, fine-tune incident response plans, work more efficiently with forensic firms, assess and reduce risk, build scenarios for tabletop exercises and determine cyber liability insurance needs,” said Theodore J. Kobus III, leader of BakerHostetler’s privacy and data protection practice.

As noted in previous years, the Report emphasizes that entities need to be “Compromise Ready” by setting up defenses to lessen the number of incidents and having systems in place to respond – being cyber resilient – in order to reduce the risk of attacks and lessen their severity when they do occur.

“The stakes are higher than ever, but some entities still are not executing on the basics. Many have made great strides in their cybersecurity planning, but as threats evolve and entities change, they must also keep their security protocols current. It takes an ‘all-in’ approach from boards to senior management to entry level employees for best-in-class breach prevention and response planning,” Kobus noted.

Incident Causes

The Report shows that phishing remained the leading cause of incidents at 34 percent, followed by network intrusions at 19 percent, inadvertent disclosure (such as an employee mistake) at 17 percent and stolen or lost devices/records at 11 percent. A new category this year is system misconfiguration, which reflects instances where unauthorized individuals gain access to data stored in the cloud because permissions were set to “public” instead of “private,” and was responsible for six percent of incidents.

“Contrary to what some might expect, cloud security issues are not occurring because the cloud service providers are being compromised, but rather because of how the entity itself or its service provider configured access to the cloud instance,” added Kobus.

Increased Regulatory Scrutiny

Entities also need to be aware that regulators have become aggressive in investigating breaches, with upticks in not only the number of inquiries by regulators (i.e. 64 by state attorneys general and 43 non-AG investigations in 2017 compared to 37 state AGs and 29 non-AG investigations in 2016), but also in the speed by which they are being made. And when the General Data Protection Regulation (GDPR) and its quick notification and onerous financial consequences for non-compliance become effective on May 25, 2018 for entities established in the EU, the regulatory landscape will be even more challenging.

Response Timeline

One of the most important features of the Report is the incident response timeline, which identifies the four key time frames of the incident response lifecycle – detection, containment, analysis, and notification. This timeline gives entities context for understanding the timing of when they will have reliable information to facilitate communication about the incident.

Overall incident response times for 2017 were 66 days from occurrence to discovery (an increase of five days from 2016), three days from discovery to containment (an improvement of five days from 2016), 36 days from engagement of forensics team to investigation complete (four days faster than the previous year), and 38 days from discovery to notification (three days better than 2016).

Forensics Drives Key Decisions

In the data breach incidents analyzed in the Report, 41.5 percent employed the use of outside forensic investigators. The average cost of a forensic investigation was $84,417 in 2017 compared with an average cost of $62,290 in 2016. “The ability to quickly and efficiently conduct a forensic investigation is critical to helping answer essential questions about the incident, including: What happened? How did it happen? How do we contain it? Who do we need to inform? How can we protect affected individuals?” noted Kobus.

Other interesting trends/numbers from this year’s analysis include:

Ransomware was involved in 18 percent of the phishing incidents and 38 percent of the network intrusion incidents.
Size doesn’t matter regarding the likelihood of being breached. In the incidents covered by the Report there was a fairly even number of incidents by entities with revenues between $10 million and $100 million, $100 million and $500 million, $500 million and $1 billion, and $1 billion and $5 billion – with mere percentage points separating those categories.
Detection. 65 percent of breaches that the firm worked on were detected internally.
What data is at risk? Incidents included in the 2017 survey involved the following types of data – Social Security numbers (46 percent), healthcare information (39 percent), all other confidential information, such as student ID numbers, usernames and passwords – (26 percent), birth dates (24 percent), financial data (15 percent), payment card industry data (12 percent), and driver’s license information (10 percent).
Notifications v. Lawsuits. Out of the 560 total incidents in the Report, 350 required notifications to individuals affected, and 10 resulted in lawsuits filed.
Average size of notification and industry most affected. While the average number of individuals notified per incident was 87,952, the hospitality industry again had the highest average number of notifications per incident at 627,723.
Data breach litigation is surviving motions to dismiss and proceeding to discovery, where plaintiffs seek breach investigation records and challenge defendants’ assertions that the investigations are protected by various legal privileges.

Compromise Response Intelligence

The Report provides a list of recommendations that entities can follow in order to help mitigate the opportunity for breaches to happen as well as to help lessen the severity of data breach incidents when they occur. The list, which includes suggestions from previous years that still hold true, has been updated to address issues/matters that have recently become prevalent. Some of the new headings address keeping data in the cloud, the increase in regulatory scrutiny, the need for entities to adopt multifactor authentication, and implementing a robust risk management program that incorporates complete buy-in from all levels of an organization.