The United Nations Conference on Trade and Development estimates that the spread of COVID-19 will depress global economic growth in 2020 to below 2.5%, the recession threshold. Indeed, organizations are already seeing weak demand and decreased revenue and profits, and are responding by taking cost-containment measures and canceling planned investments. These changes will almost certainly affect physical security technology and cybersecurity projects; indeed the latest numbers from Gartner and Forrester expect a decline in global global IT spending cybersecurity budgets.
While prompt detection of security incidents has always been critical, it is even more vital during an economic downturn. According to the 2019 Ponemon Cost of Data Breach Study, the longer it takes a company to detect a breach, the more it will cost. Organizations that spend more than 200 days on incident detection have a 37% higher cost of a breach compared to those who detected security incidents sooner. Those steeper costs are harder to absorb now and could even put a company out of business.
How long does incident detection currently take?
A malicious user can download a lot of sensitive data very quickly, and some modern attacks and malware can strike with blazing speed. Clearly, fast detection of incidents is critical to preventing data loss, data encryption and other damage. A SANS report confirms that businesses need to detect incidents in minutes or, at least, a few hours to minimize data security risks.
The Netwrix 2020 Data Risk and Security Report finds that organizations find it difficult to detect security incidents promptly at all six stages of the data lifecycle. The most problematic stage is data storage. It takes organizations days (43%) or weeks (23%) to discover sensitive data outside of secure locations, such as in cloud storage or enterprise applications like Microsoft Teams. The archive stage of the data lifecycle is nearly as bad; companies need days (38%) or weeks (28%) to detect breaches there.
How can you spot incidents faster?
To promptly detect threats, organizations need to have deep awareness into where their data resides, how sensitive that data is and who has access to it. They also need to be able to quickly spot and investigate suspicious activity, so they can take action to mitigate threats. I suggest that you implement the following measures to speed up incident detection and ensure timely and effective response:
- Understand which data requires attention. You need to know exactly which data is more valuable and is therefore a more likely target of threat actors. Data classification will help you understand which information is sensitive and where it is located so that you can take appropriate steps to protect it. Ideally, an automated solution will regularly check whether all critical data resides only in secure locations and take steps to remediate any overexposure before the data can be exfiltrated or encrypted.
- Closely monitor user activity around data. The longer hackers can lurk undiscovered in your IT environment, the more time they have to creep around, identify your most critical files and steal them. A user behavior analysis and monitoring tool is critical to quickly spotting both overt and subtle indicators of attacks, such as activity outside of business hours, unusual data access patterns and failed logon attempts. A solution that can proactively alert you about abnormal spikes in user activity will enable you to respond to threats even faster.
- Have an actionable incident response plan. Finally, it is essential to have a detailed incident response plan and regularly test it to make sure it works as intended. Ideally, this plan will include procedures for handling and reporting incidents, as well as guidelines for communicating with outside parties. Having a solid plan will help you take action more quickly in the event of a security incident so you can minimize the damage you suffer. If you want to revise your existing plan or create a new one, use best-practice standards like NIST SP 800-61 r.2 and ISO/IEC 27035 as a starting point.
No matter how much the economic situation changes, prompt detection and response to cyber threats must remain a core priority for your organization. The ability to spot and address incidents in their early stages will help you avoid data breaches and their unpleasant consequences, including business downtime, lost revenue, costly security investigations and fines from regulatory bodies. As a result, you can save your budget for mission-critical tasks that will bring your organization value in the long run.