Mark Twain famously popularized the saying, “There are three kinds of lies. Lies, damn lies, and statistics,” attributing the original thought to British Prime Minister Benjamin Disraeli. Like many utterances that stand the test of time, there is a measure of truth in suggesting that statistics can be manipulated in a way the hides, rather than discloses, the truth about a given matter. But this reality does not mean we shouldn’t carefully consider the significance and implications of available data.
Consider, for example, PwC’s “The Global State of Information Security 2015,” which reports that in 2014 there were 42.8 million detected information security incidents. The study suggests that the number of incidents detected rose by 48 percent over 2013, and that the associated costs rose by 34 percent.
At roughly the same time as the study was released, software security group Kaspersky Lab Z.A.O. issued the results of its study, which said that there were 2.4 times the number of targeted cyber attack victims in the corporate sector in 2014 than in 2013.
The data in both these studies is valuable, but spending time wading through the data to identify where they differ likely is less valuable for the corporate executive who is concerned with building the company’s capability to effectively deal with data breaches. What is important is understanding that the cyber threat is building, and that while reducing vulnerability to breaches is critical, it is not possible to reduce the threat to the point at which a corporation is no longer vulnerable.
It follows that there is another statistic that warrants attention. Once an organization is breached, it becomes exceedingly important that the breach be discovered and repaired as quickly as possible. How are we doing in that regard? Security provider FireEye just released its threat report “MTrends 2015: A View From the Front Lines.” To the question of how long it takes to discover a breach, the report has this to say, “Organizations made some gains, but attackers still had a free rein in breached environments far too long before being detected — a median of 205 days in 2014 vs. 229 days in 2013.
Think about it. Right now, it takes many companies roughly seven months before a breach is discovered and even then the way the breach is detected may come from resources outside the company. According to FireEye, “the number of organizations discovering these intrusions on their own remained largely unchanged. Sixty-nine percent learned of the breach from an outside entity such as law enforcement …”
Herein lies the implications of the data that tell us cyber attacks are increasing and that companies whose defenses are breached and who fall victim to an attack often do not discover it until well after the initial assault, leaving plenty of time for damages to multiply.
We know attacks are increasing and the costs associated with the attacks are rising.
It is clear that the amount of time it takes to detect and remedy a breach adds cost.
It is apparent that the fact most breaches are discovered by an entity outside the company means that keeping the incident quiet is not in the cards.
Therefore, companies must accelerate their response planning and training to ensure they have the capability to manage the mandatory and discretionary disclosures and associated response activities that, done effectively, can mitigate the damage and enable the company to continue its daily operations with minimal disruption.
That’s the truth about currently available cybersecurity statistics.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
March 10, 2015