When a data breach happens on one of your systems, how fast do you think you can prevent it from spreading? Moreover, how fast do you think you need to act?
A recent threat report found that hackers from Russia were able to access critical systems in 20 minutes, the fastest in the world.
Finding and containing a breach in less than 20 minutes is not easy. In fact, the average time it takes for an organization to detect a breach is about 6.5 months (197 days), while the average time to contain a breach is 69 days. This is why when a data breach is disclosed, it’s often months after it actually occurred.
Being able to limit a data breach can prevent more data from being lost and decrease associated costs, including compliance fines. This means that companies should aim to find and contain breaches as soon as possible.
Source: Ponemon Institute
Who Detects Breaches
Being able to internally detect security alerts is important for your company. Internal detection (from security systems, IT/security experts, employees, etc.) can save your business embarrassment from lack of security self awareness and perhaps put a stop to the breach earlier. However, a majority of breaches are usually detected by external parties, such as third-party providers, law enforcement and in some cases, consumers.
Why Does Breach Detection Take So Long?
When Marriott disclosed their data breach in November last year, they said that they first learned of the breach in September 2018. That’s about two months between the disclosure and discovery. They also found that hackers had been accessing their systems since November 2014. That’s a four year gap between the initial compromise and the time they discovered the breach!
The amount of time it takes to discover a data breach depends on the type of attack. For example, stolen credit card information is often not detected until fraudulent activity is determined. In the case of a third-party breach, a company won’t know they’re at risk until they are told by the third party.
On the other hand, a cyber criminal who manages to hack privileged credentials can get away with snooping around their victim’s network undetected.
How Can I Protect My Business Data?
1. Identification: It’s important to be aware of key indicators of compromise and know how to identify them. Such signs can include: multiple log in attempts, slow internet traffic, unusual log in activities (i.e. from strange countries, unknown devices etc.), unauthorized users trying to access confidential data, etc. It’s important to teach your employees these types of signs so that they can help prevent potential attacks.
2. Detection: Using automated security tools like a SIEM system is vital in detecting potential attacks. SIEM uses behavioural analytics to detect suspicious activity across your network. It does this by collecting data from all your devices and correlating it with global threat intelligence feeds and use cases. SIEM can detect behaviours like multiple log ins, access from suspicious IP addresses and more. Automated tools like SIEM are faster than solely relying on teams to help detect threats and are therefore important in protecting your data.
3. Monitoring: In order to determine what seems suspicious, you need to monitor your networks to establish a baseline. Our Monitor IT solution provides real time reporting on your IT infrastructure and systems to ensure your infrastructure uptime availability and performance. The technicians in our Network Operations Centre will monitor your infrastructure and bring attention to availability and operating performance.
4. Prevention: Active prevention through human insight and security solutions like next generation firewalls is a continuous process. Threats are always changing and evolving, which is why it’s important to stay up-to-date. As part of your prevention process, you should conduct regular cyber awareness training for your employees so they can spot common attacks and navigate the web safely. In conjunction with that, using preventative security solutions like firewalls to block malware from entering your network.