On average, how long does it take for a company to discover that a malicious security breach has occurred?
A couple of hours? A couple of weeks?
According to the global report published by Ponemon Institute it takes nearly three months.
In 2013 the institute published its Post Breach Boom report in which it polled more than 3,500 IT security and IT professionals from organisations that had suffered one data breach at least during the last two years. The purpose was to examine how data breaches had been handled and how well prepared organisations were to be able to prevent them from occurring. Based on their findings, researchers discovered numerous trends that were worrisome in regards to information security.
Despite the amount of attention that has been paid to how important information security is, more than 50% of respondents were in agreement that over the past two years that data breaches had become more frequent and severe. It also appears that in terms of detecting or resolving them, that organizations are ill prepared. In fact, just 43% of those who responded stated that their organisations had the funding, personnel and tools for preventing data breaches. That in spite of the fact of the widespread agreement that understanding what the root causes are for breaches can help to strengthen the security position of the organisation and provide vital insights into possible vulnerabilities and loopholes.
Breaches were categorised as ‘non malicious’ breaches caused by a third party, employee negligence or a system error and ‘malicious’ breaches involving information being stolen by a criminal insider or external hacker. It was found that when the root cause resulted from a malicious attack or insider the average cost per record of the breach was much higher.
In situations where it has been discovered that there was a malicious breach, the average time it takes to address the issue is more than four months. In one third of the reviewed cases, a third party detected the data breach an not the company’s security system.
What is worrisome is that 83% of non-malicious breaches included failure to or loss of degauss or wiping a device properly that contained sensitive data, with another 17% involving business partners, suppliers or contractors losing sensitive data that had been entrusted to them.
The figures hold up when quickly glancing at the list of financial penalties that the Information Commissioner’s Office has handed out for serious Data Protection Act breaches. It is full of real life examples, which include hard drives that contain patient data that can be found on sale at internet auction websites after supposedly a third party supplied had securely destroyed them. There have also been numerous incidents of theft and loss of unencrypted data storage devices, laptops, memory sticks, etc.
Whether these were actually malicious or not, the main reasons why a majority of cases failed to prevent breaches was due to inadequate security process or lacking in-house expertise. This reinforces the need for not only proper procedures and policies, but also mechanisms for ensuring that staff are properly trained and followed up on.
All breaches cost businesses large sum of money. In addition, they result in lost productivity and money, as well as damages to brand value and reputation.
Companies are advised to assess the risk of data breaches, not only electronic but document based too. Hiring data security consultants and document shredding services will help mitigate the risk of breaches in the future.