tashka2000 - Fotolia
Breach disclosure time still high, report shows
Companies are getting faster at disclosing breaches, but the average is still too high in the light of the GDPR and other breach disclosure regulations, a report shows
The average number of days between breach discovery and disclosure is decreasing, but is still too high, data analysis by Risk Based Security reveals.
Despite improvements in the past few years, the average is still 37.9 days, according to the security firm’s Data breach quick view report for the first quarter of 2018.
This is down from 42.7 days in the same period in 2017, 68.9 days in 2016 and 82.6 days in 2015.
“With the [EU’s General Data Protection Regulation] GDPR taking effect in May, we wanted to share how well organisations might be able to comply with Article 33 – the 72 hour notification rule – based on our research,” said Inga Goddijn, executive vice-president at Risk Based Security.
Although it is “encouraging” that the average number of days between discovery and disclosure has been steadily declining from year to year, she said the current average shows there is still work to be done to meet the GDPR obligation to report a breach to the authorities within 72 hours of becoming aware of the event.
Prompt breach disclosure is becoming a standard requirement of regulations worldwide, with some regulations in the financial services sector requiring organisations to report breaches within as little as one hour of becoming aware of the breach.
Data for the first quarter of the year also shows that the number of breaches disclosed in the period fell to 686, compared with 1,444 breaches reported in the same period a year ago.
But the most likely reason for this dip is not improved security, but a shift in tactics by cyber criminals, who are tapping into illicit cryptocurrency mining as an alternative source of income to selling stolen records.
The report notes that the spike in the value of cryptocurrencies that took place in January fuelled a rapid expansion into the theft of computing resources.
“While there is no direct data linking the rise of crypominers to a reduction in data breach activity, there are tantalising bits of evidence that lead us to believe there is some level of relationship at play here,” said Goddijn.
Cyber crime trends continue from 2017
The report shows that apart from the dip in the number of breaches, many of the trends observed throughout 2017 continued to be evident in the first three months of 2018.
The top five breach types that dominated recent reports – hacking (unauthorised access), skimming, inadvertent disclosure on the internet, phishing and malware – all remained the top breach types into 2018.
Likewise, the vast majority of breaches are still originating from outside the organisation, most events are being discovered by external parties, and the data types targeted and average number of records compromised showed little variation from 2017.
“Other than the dip in the number of data breaches reported, Q1 2018 was very much in lock-step with recent quarters,” said Goddijn.
“If there was a truly seismic shift in breach activity, we would expect other metrics to show some signs of change as well. Given this, we think the jury is still out on whether the dip is a one-time blip or part of a larger trend,” she said.
The US topped the rankings with the highest number of breaches for the quarter (392), followed by India (25), Canada (21) and the UK (20). The remainder of the top 10 breached countries were: Australia (17), Germany (7), Japan (6), Denmark (5), Hong Kong (4), and Italy (4).
However, the highest number of exposed records was in India, accounting for 82% of the total, followed by the US (18%), Norway (0.2%) and Canada (0.08%). The UK was not among the 10 countries with the highest proportion of records exposed.
According to the report, the business sector accounted for 97.9% of the records exposed, followed by government (1.1%). As in 2017, the medical and education sectors combined accounted for less than 1% of the total records exposed in the quarter.
Fraud captured the top spot for the breach type compromising the most records, accounting for 1.27 billion exposed records during the quarter. However, fraud came in as only the seventh most common breach type, accounting for 4.8% of reported breaches.
Read more about GDPR
- Financial sector cyber-related laws are a bellwether, says Deloitte
- UK surveillance laws a potential ‘sticking point’ post-Brexit.
- The GDPR audit power is being outpaced by technological advances in data analytics, says ICO.
- The ICO is playing a full role in EU institutions, and is ‘fully immersed’ in creating guidance for the GDPR, says Elizabeth Denham.
- GDPR focus shifts from the sanctions to the benefits.