Tuesday, 9 April 2024

How long would it take your organisation to detect a data breach?

Data suggests that it takes an organisation 212 days to detect a data breach and 75 to contain it. We ask: how much damage could attackers do in that time?

According to IBM Security’s Cost of a Data Breach Report for 2022, 83 per cent of organisations have experienced more than one data breach. Unfortunately, as with so many cyber-security threats, the likelihood of your organisation suffering a data breach is a question of “when” not “if”.


Data from Mimecast suggests that it takes an organisation, on average, 212 days to detect a data breach. It then takes a further 75 days to contain the breach.

We have to ask: how much damage could attackers do in that time?


What is a data breach?

It’s first worth noting that not all data breaches occur because of poor cyber security being exploited by bad actors. 

The Information Commissioner’s Office (ICO) offers some examples of potential data breaches on its website. They include data breaches as a result of human or system error and data breaches as a result of internal and physical theft.

However, the greatest threat remains bad actors exploiting weak cyber defences. For example, the largest data breach of 2023 was the reported 235 million email addresses that were leaked after being stolen from the X social media platform (then Twitter).


How are most breaches discovered?

IBM’s Cost of a Data Breach Report 2023 found that only one third of the companies surveyed that had suffered a breach discovered the data breach through their own security teams. Two thirds of breaches were reported by a benign third party or by the attackers themselves. 

When attackers disclosed a breach, it cost organisations much more – nearly $1 million more – than it would if the breach was discovered through internal detection. For reference, the report included large enterprises and found that the average cost of data breach was £4.45 million. 

These mind-boggling statistics serve to illustrate exactly why there is a need for better threat detection and discovery across the board.


Case study: The British Libary

Although Mimecast says it takes an average of 212 days to detect a data breach, the reality differs widely. Some, as in the case of the British Library, are made public very quickly.

In October 2023, the British Library’s Wi-Fi and then website went down following a cyber-attack. A data breach was subsequently reported on October 31st. The hackers reportedly demanded a ransom payment which the library declined to pay.

The ransomware group named Rhysida claimed the attack. At the end of November 2023, Rhysida announced that it planned to auction off the stolen data, which included passport scans, for 20 bitcoins (about £600,000).

In response, the British Library worked with the UK’s National Cyber Security Centre to investigate the attack and the claims made by the ransomware group. It advised customers to change any logins as a precaution. Computer Weekly reported there has been some speculation that the Rhysida ransomware gang was able to access the British Library’s systems via a vulnerability in its VMware ESXi virtual machine infrastructure, although this had not been confirmed at the time of writing.

Meanwhile, the impact continued to fan out. About 20,000 published authors who receive 13p (up to an annual maximum of £6,600) each time their books are borrowed from libraries under a system managed by the British Library had their payments delayed as a result of the attack. In March 2024, the British Library admitted its purposes relating to Custodianship and Research were most severely hit during the crisis because these were directly impacted by the loss of core systems relating to collection access.

In this instance, the cyber attack was discovered immediately because its impact was immediately felt in the loss of Wi-Fi. The data breach was discovered soon after – thanks to the modus operandi of the ransomware group and the publication of its evidence on the dark web. 

As a result, the British Library was able to report the data breach quickly. This is important because organisations are required to report breaches within 72 hours of discovery under Article 33 of the GDPR. However, the library came under fire for its slow response in communicating directly with those directly affected.


Is the British Library’s experience typical?

The British Library’s experience is commonplace in terms of the vector of the attack. However, the speed with which it was discovered and made public was much faster than usual. This is, in part, due to the disruption to key services which alerted the British Library to the attack and the speed with which the attackers claimed responsibility.

At the other end of the scale, we have data breaches which are years in the making. And, of course, data breaches which are never discovered.

If two thirds of organisations are relying on their attackers or other third parties to tell them that they have suffered a data breach, it seems obvious that many data breaches are going completed undiscovered.


Could your organisation detect a data breach?

There are a number of ways in which a data breach is detected:

•    Suspicious network activity which alerts you to a possible cyber security breach and is then investigated.

•    Ransom demands from attackers.

•    Your data appearing for sale on the dark web.

•    Third-party “white hat” investigators alerting you to cyber security weaknesses and/ or the breach.

•    Announcements by technology vendors about security vulnerabilities and patches in response to known threats, which cause affected organisations to investigate whether these vulnerabilities have been exploited whilst unpatched.

Given the financial impact of waiting for the attackers or another third party to tell you about a data breach, ideally you need to be monitoring activity throughout your network so you aren’t relying on third parties to detect a breach.

Warning signs of suspicious cyber activity include:

•    Alerts from your anti-malware/ antivirus/ other security tools

•    Suspicious network activity or unexplained changes to network traffic identified through your SIEM/ network monitoring tools

•    Sudden changes to critical infrastructure or system passwords or accounts

•    Suspicious files in your system (which may or may not be encrypted)

•    Loss of network, email, social media accounts or website

•    Other performance issues or outages

Any of these warning signs require further investigation by your internal cyber security teams or your IT support partner. The sooner, the better.

Ultimately, detection will be affected by the type of breach, and – where the result of a cyber-attack – the attack vector and the behaviour of the attackers.


What now?

If you’d like support with your organisation’s cyber security or incident detection and response, please get in touch with the Grant McGregor team.

Call us: 0808 164 4142

Message us: https://www.grantmcgregor.co.uk/contact-us

Further reading

You can get more advice about cybersecurity topics on our blog:

•    Do your backups include this important information?

•    What is a watering hole attack? And how can you protect against it?

•    Cyber Crime on the rise: how can you protect your organisation from it?

•    Is your organisation doing enough on supply chain security?

•    How to minimise the risk from phishing

•    Learning from Leicester: Cyber-attack causes disruption for council