Among the many things that Equifax has been criticized for, one of them is the amount of time it took the company to identify, contain and then notify customers about the breach. The breach initially occurred on May 14th but went undetected until in the very end of July. From there, it took the company an additional month to official announce that the breach occurred.
But the sad truth is Equifax’s response time is actually a lot faster than a lot of other organizations that suffered data breaches. One of the factors that The Ponemon Institute looks at in their annual Cost of a Data Breach Report is what they call the breach lifecycle. The lifecycle of a breach is defined as the time between when a data breach initially occurs and when the breach is finally contained. And the average breach lifecycle is shockingly long. According to the report, the average lifecycle came to a total of 279 days — a combination of 206 days to identify the breach and 73 days to contain it. And the report found that this number grew significantly over the past year, representing an almost 5% increase over 2018’s breach lifecycle of 266 days.
The impact of a long breach lifecycle for a company is not just a public perception of incompetence, it also dramatically increases the costs experienced. The report found that organizations with a breach lifecycle longer than 200 days saw much higher costs. Breaches that took under 200 days cost an average of $3.34 million, where long breach cycles were found to be 37% or $1.22 million more costly for organizations, for a total average of $4.56 million. Simply put, the faster a data breach can be identified and contained, the lower the costs.
Shortening the Lifecycle of a Breach
It is therefore pretty apparent that, in the event a breach occurs, organization’s need to be prepared to respond as quickly as possible. Response to a breach involves two basic elements: detection and containment. Here are a few ways organizations can help reduce the length for both.
The Ponemon report shows that detecting a breach is by far the largest factor in the length of a breach’s lifecycle. Malicious attacks want to keep their access for as long as possible, so will work to cover their tracks. And breaches caused by errors are often overlooked because, well, if we knew we made a mistake we wouldn’t have made it.
It’s therefore important to constantly stay vigilant for signs that a breach has occurred. It can be difficult to constantly monitor all systems for any anomalies. Intrusion detection systems (IDS) are helpful here as well as Security Information and Event Management (SIEM) systems which collect system information (logs) and will provide alerts if there is anomalous activity. It the very least it is important to centralize your logging, conduct regular vulnerability and anti-malware scans of removable devices and regularly check your administrative accounts for unauthorized changes or additions.
And while different types of breaches produce different signs, there are a number of general indications that can help tip off when something is wrong. Repeated system crashes, unusually high system activity, and unapproved configuration changes are all common indications of an attack. It may be nothing, but it’s far better to be overly cautious than to assume everything is fine only to later find out something was wrong after all.
The first step to containing a breach should actually happen before a breach even occurs: implementing an incident response plan and regularly practicing responses to cyber-attacks. The Ponemon report found that organizations with incident response plans and who simulate attacks were able to reduce the cost of a breach $1.23 million.
The response itself largely depends on the cause of the breach. Whether it’s applying new security patches, updating user credentials, wiping stolen devices or something else, the essential point to is be able to quickly identify how the breach occur and respond accordingly. The time to prepare is before a breach, not after.
Also published on Medium.