New report on security incidents finds: it’s the detection, stupid
A new report underscores the importance of early detection of cyber incidents in limiting their severity.
Candidate Bill Clinton’s campaign strategist James Carville made the phrase “the economy, stupid” famous back in the early 1990s, when he scrawled it on a whiteboard in the campaign’s “war room” to focus himself and the rest of Clinton’s (successful) campaign on the topics that the campaign was driving and that were most important to voters.
For companies staring down the threat of sophisticated and unsophisticated cyber attacks, the white board in the war room should carry a similar message. Specifically: ‘it’s the detection, stupid.’ That’s the unmistakable conclusion of the recent Data Security Incident Response Report by the firm Baker Hostetler, which found that companies still lag in detecting cyber incidents within their environments.
The time from initial occurrence to detection averaged 61 days across all incident types, the firm reported. By comparison, the average period for containment of the incident after detection was just 8 days, Baker Hostetler said. Eighteen percent of the incidents the firm studied that involved a network security attack went undetected for more than six months. And six incidents Baker Hostetler studied went undetected for more than a year.
The report, which was released this week, analyzes data collected from more than 450 security incidents Baker Hostetler managed for clients in 2016. The delay in detecting breaches is a major problem, Baker Hostetler warns. “Faster detection usually means there will be more certainty about what occurred due to better available forensic data. It also aids better mitigation of post-incident consequences,” the company said.
For very long lived incidents, it may be difficult for firms to fully reconstruct what happened, as logs and other data useful to forensic investigators are overwritten or disappears.
That’s why detection is the critical first step, and an area that firms need to devote resources to, Baker Hostetler concludes. Accurate, early detection followed by fast and efficient investigation of cyber incidents leads to easier resolution, including effective containment of cyber incidents and – critically – notification of affected parties.
That latter piece – notification – is especially critical as firms in the EU, US and most other countries come to grips with the impact of the EU’s GDPR (General Data Protection Rule) which sets a high bar for notifying authorities about cyber incidents and breaches, and sets stiff penalties for those that fail to fulfill their obligation to regulators and the public.
No surprise: Baker Hostetler found that cyber incidents affected organizations in every major industry, with most incidents clustered in four sectors: healthcare (35%), finance and insurance (16%), education (14%) and retail (13%). The average size of the incident was highest in the retail sector, where an average of 297,000 individuals were notified per incident studied (most of these were payment card breaches). An average of 61,000 people were notified in the healthcare sector breaches Baker Hostetler studied, while incidents in the finance (7,000) and education (4,000) sectors affected far fewer individuals.
Data theft was common, with 34% of network intrusions the company investigated revealing evidence of data exfiltration.
Phishing attacks and malware are still the point of the spear for companies, with 43% of the incidents Baker Hostetler studied involving phishing, hacking, or malware in some way. In sectors like retail, phishing and malware represented the bulk of incidents – 65%, with other causes like internal theft, employee mistakes and lost or stolen devices contributing only in a small way to the total number of incidents.
Finally: cyber incidents are going to cost you – there’s not avoiding it. Baker Hostetler said the average total cost of a forensic investigation in 2016 was $62,290, with the highest cost more than $750,000. Some good news, however: a tiny minority of disclosed incidents – less than 5% -- resulted in lawsuits against the breached firm. That’s a trend that Baker Hostetler chalks up to better and more consistent communication with affected customers, as well as recovery services. Courts are also making it more difficult to litigate class action and other consumer lawsuits in breach cases, the company said.