The number of cyberattacks on corporate America continues to increase at a steady rate, with many of them beginning with a “phishing” email that tricks employees into sending network access information, such as a password, to the attacker, according to a new report.

The study, the fifth annual Data Security Incident Response Report from BakerHostetler, discusses insights gained from the more than 750 incidents the law firm worked on in 2018. The report shows that the number of incidents investigated grew steadily each year from 200 in 2014 to 750 last year.

Firm partner Craig Hoffman, of the privacy and data protection team, said the number of incidents detected and reported are expected to continue to increase in 2019. “There are more notification laws, so more entities are required to provide notice than in the past,” Hoffman said. “There are also better tools for detecting incidents, so incidents that were never detected before are now being identified.”

One trend that stood out is the increase in the amount of ransom being demanded when an attacker seizes a company's computers. In 2018, 12 percent of the BakerHostetler cases involved ransom demands, the report said, and the average payment was about $29,000.

But in the first three months of 2019, Hoffman said, “there have been several ransomware threat actors demanding higher ransoms,” including three separate instances of payments of $1 million.

There is always a risk of the attacker taking the money but keeping the computers locked up. The report said that 91 percent of the time when a ransom was paid, a decryption key was received.

Companies and their general counsel do not make ransom decisions lightly. Hoffman said, “There are a host of reasons that get thrown around when companies go through the pay—don't pay debate. Often the decision comes down to are there backup options that get operations restored in a time frame that is acceptable, or not.”

If not, he said, then the client often decides to pay. The other option would be suffer the impact of downtime while rebuilding the infected system, according to the report.

“Entities continue to overestimate the ability to restore and the time to restore,” the report said. “Consider your entity's approach to paying a ransom before a ransom scenario occurs, including under which scenarios you would pay and how you would pay.”

Of the 750 total cases, the report said 37 percent were caused by a phishing attack. Another 30 percent involved a network intrusion, while 10 percent occurred after a company device or records were lost or stolen.

“Raising employee awareness and employing multifactor authentication are still two of the best defenses against these attacks,” said Theodore “Ted” Kobus, chair of the law firm's privacy and data protection team, in the report.

“Cyberattacks continue,” Kobus noted, “whether motivated by monetary gain, to disrupt business operations, or to obtain information for a nation-state.”

Besides the damage to a company's data and to its reputation, a cyberattack can be extremely costly to investigate and shut down. Those costs can be followed by regulator penalties, lawsuits and charges for such things as offering free credit monitoring to consumers.

The report said the average cost of all its forensic investigations in 2018 was $63,000, while the average cost of the 20 largest network intrusions was almost $350,600.

It said in 397 cases where customers were notified of a data breach, four lawsuits were filed. State attorneys general opened inquiries in 34 percent of the cases.

Court decisions “continued to trend toward finding standing in data breach class actions, even in the absence of actual financial loss suffered by the named plaintiffs,” the report stated. The Supreme Court declined earlier this year to review a case that granted standing in a data breach case. “Thus, the trend toward finding standing will likely continue,” the report predicted.

International laws, such as the European Union's General Data Protection Regulation, have made incident response more complex because of detailed regulatory reporting requirements, the report said. More than 25 percent of the incidents BakerHostetler worked on involved international laws.

The report includes an interactive map showing U.S. breach notification laws by state. It also has the European Union data breach notification resource map.