The time between when a data breach begins and when you notice the breach can have a dramatic impact on the dollar and reputation cost to mitigate.  Why are data breaches so difficult to detect, and what can you do to minimize the gap between attack and response?

Current Statistics on Data Breach Lag Time

Whether it’s small business, big business, or the government, data breaches are going undiscovered and costing enterprises money:

  • In its November 2016 SEC filing, Yahoo reported they had been aware of an intrusion into their network in 2014, but had not understood the extent of the breach until it began investigation of a separate data breach incident around July 2016.
  • 80 million Social Security numbers and other sensitive data were siphoned from Anthem. Analysis suggests the attackers may have first gained a foothold in April 2014, nine months before the company says it discovered the intrusion.
  • In March of 2014, the Computer Emergency Readiness Team (CERT)—part of U.S. Homeland Security—determined that cyber attackers had stolen key manuals and blueprints. Also discovered was malware present since 2012, suggesting that the bad actors gained access several years before being detected.
  • While breaches still cost $28,000 for SMBs and $105,000 for big business when instantly detected, a lag time of even seven days bumped up the cost of a security incident to $105,000 and $393,000, respectively.
  • According to research firm Gartner, the average lag time before a breach is detected is 205 days.

Why Breaches Go Undetected

There are several reasons why breaches go undetected:

  • Attempting to stay on top of security threats is challenging and is compounded by the skill shortage in the cyber security industry. Organizations have more threat data than they can analyze.  In fact, in one out of four cases, third parties discover the breach, typically after being affected by it or seeing the data distributed in darknets.
  • Because few attacks disrupt a company’s external services, intruders often remain undetected on the network for long periods of time.
  • Insiders are the cause of many data breaches. and insider incidents are the hardest (and take the longest) to detect. Insider misuse cases are the most likely to take months or years to discover.
  • There’s a benefit to hackers taking their time and striving to stay under the radar: it allows more time to extend a foothold and discover, and mine, valuable data.
  • Despite the staggering evidence that companies are typically slow to detect data breaches, corporate security teams think they’re better than they are. A security survey of 500 IT decision makers revealed that when asked, IT leaders claimed that they discovered most data breaches within 10 hours.

How to Catch Breaches Earlier

The window between breach and discovery is key. This is when cyber criminals are doing the most harm, using stolen data to break into more accounts, steal more data and identities, and transfer funds.

Here are a few ways to close the window between breach and discovery – and minimize breach instances:

  • Employee user monitoring software to protect against insider threats. As mentioned previously, insider threats typically take a long time to discover. Monitoring software listens for suspicious activity (like large file downloads and off-hour access) and alerts on these signals.
  • To protect against the negligent insider who may inadvertently open the door to attack, use the data from monitoring software to identify security-challenged employees. Where must more coaching and training be focused?
  • In cases of employee churn, automate the revoking of privilege across applications.
  • Guard against privileged user misuse. Ensure the right people have access to look at high-value data. Administrators must protect the data; they rarely need to see the data.
  • Close the gap with threat hunting to search through your network to detect and isolate advanced threats that evade existing security solutions.
  • Prioritize alert response: when security information and event management (SIEM) or user monitoring software raise alerts, make the time to investigate.

As mentioned earlier, IT security teams may believe they’re catching breaches quickly. Guard against arrogance, and admit that you very likely have weaknesses in breach detection.

Do’s and Don’ts of Cyber Security in the Word Place
What’s Working in Security Awareness Training
Best tips for Blending Cyber Security and Productivity