205 Days. 69 Percent. $3.8 Million. These are important numbers that incident response company Mandiant highlights in their 2015 M-Trends Threat Report and the Poneman Institute identifies in their 2015 Cost of Data Breach Study: Global Analysis report.
Why are they important? 205 days is the median time between a data breach and discovery of that breach. This is the time that attackers are wandering around inside our networks having their way with our data and our assets. That should make us feel very violated. Perhaps more importantly though, 69 percent of the time those breaches are discovered and reported by an external entity, such as law enforcement or a customer. The Ponemon Institute reports that the average total cost of a data breach in 2014 was $3.8 million, with the average cost of stolen sensitive and confidential information at $154 per record. The healthcare industry blew that number wide open with an average cost of up to $363 per record. Talk about a kick in the gut! So before we can even begin responding and recovering from a cyber-incident, we need to get our head around these numbers, because security professionals agree that it’s far less expensive to invest in security pre-incident than it is after the event has occurred.
While most of the best practices for ensuring a coordinated response and smooth recovery are technology related, one of the most important things organizations can do in advance of facing shareholders and the media is to have a well-designed and well-exercised cyber crisis communications strategy and plan. The absolute worst time to try and figure out who is calling the shots is in the middle of an incident, so clarifying in advance who from the company should be involved, who should be making decisions, and who is responsible for specific functions is critical. Early in most incident investigations, very little is usually known, but that’s when media attention is the highest and when an ill-advised comment to the wrong person or media organization can result in costly future legal and liability problems.
One of the first things corporate leadership is often faced with after discovery of a security breach is, “do we immediately pull up the drawbridge and disconnect from the Internet, or do we take the crucial time necessary to figure out exactly what has been compromised.” This is truly a scenario of facing the worst of two very bad options! What looks like an easy decision is anything but, because while closing things down looks like the right answer, without knowing the scope of what’s been compromised, it will probably just result in alerting the bad guys that you know they are there, so they can either go silent until things settle down or just continue their nefarious activity, using different avenues. This leaves them in charge of the tempo—not you—which should always be avoided if possible. As painful as it is, the best solution is usually to quietly implement some routine technical controls while taking the time to understand the scope of the compromise before shutting things down, which—more bad news—can often take several weeks.
Another bad practice that organizations typically haven’t thought through is how to communicate about the security incident internally, which means they often use internal corporate email to discuss and strategize how to address the problem. If the bad guys are monitoring email (which they probably are), they will know everything being discussed. Establishing out-of-band communications procedures in advance is critical to conducting sensitive internal conversations.
One of the most frequent conversations I have with CEO’s is when they say, “I didn’t think we were big enough, important enough, or valuable enough to be worried about a cyber attack.” My response is always the same: “If what you’re doing isn’t important or valuable to someone, why are you in business?” Bad guys are not going away but rather, are getting more provocative and hostile. Hacks are going to continue, and what distinguishes a company with a good security program from one who falls into the >205 days category is the ability to identify and mitigate a problem quickly. Corporate leadership must stop thinking of this as an IT problem and proactively set the corporate tone for cyber incident response preparedness.
Mark Weatherford is the Senior Vice President and Chief Cybersecurity Strategist at vArmour and Senior Advisor to The Chertoff Group
