Sunday, 20 August 2023

Security breach – it’ll never happen! Part 2

This time we continue our look at IBM Security’s latest Cost of a Data Breach Report.

I thought that it would be useful to see what recommendations the report had for busy IT security teams.

37% of ransomware victims opted not to involve law enforcement to help contain a ransomware breach, but those that did experienced a less costly ransomware breach overall. The average cost of a ransomware breach was US$5.11 million when law enforcement wasn’t involved and US$4.64 million when law enforcement was involved – a 9.6% difference.

The total amount of time to identify and contain a ransomware breach was 33 days shorter with law enforcement involvement, at 273 days in total compared to 306 days (a saving of 11.4%). The mean time to contain a ransomware breach was 63 days or 23.8% shorter with law enforcement involvement compared to 80 days without.

For organizations that experienced a ransomware attack, those that used automated response playbooks or workflows designed specifically for ransomware attacks were able to contain them in 68 days compared to the average of 80 days for organizations without automated response playbooks or workflows (16% less).

Does paying the ransom actually save your organization any money? The report suggests that the savings are minimal. Their findings were that the cost of a ransomware attack for an organization that paid the ransom was US$5.06 million. If the organization didn’t pay the ransom, the cost was US$5.17 million – a difference of 2.2%. However, the figures don’t include the cost of the ransom itself. The report suggests that paying the ransom is probably not a cost-effective strategy overall.

The report strongly makes the case for the use of security AI, saying that organizations with extensive use of security AI and automation identified and contained a data breach 108 days faster than organizations that didn’t use AI or automation. What falls into that category includes the use of AI, machine learning, automation, and orchestration to augment or replace human intervention in detection and investigation of threats as well as the response and containment process. On the opposite end of the spectrum are processes driven by manual inputs, often across dozens of tools and complex, non-integrated systems, without data shared between them.

In addition, there were cost savings with AI and automation. The report found a US$1.76 million lower data breach costs compared to organizations that didn’t use security AI and automation capabilities.

Perhaps not surprisingly, the report found that 51% of organizations are planning to increase their security investments as a result of a breach – although one must worry about the other 49%. For those who are planning to invest, the top areas identified included incident response (IR) planning and testing, employee training, and threat detection and response technologies.

The report recommends that organizations take a DevSecOps approach tin order to build security into any tools or platforms an organization depends on to engage its workforce or its customers. Organizations of all types, the report says, should look to ensure that security is at the forefront of the software they’re developing as well as commercial off-the-shelf software that they’re deploying. Application developers must continue to accelerate the adoption of the principles of secure by design and secure by default to ensure that security is a core requirement that’s considered during the initial design phase of digital transformation projects and not simply addressed after the fact. The same principles must be applied to cloud environments to support cloud-native app development in order to makes a serious effort to protect user privacy and minimize attack surfaces.

The report recommends application testing or penetration testing from the perspective of an attacker in order to give organizations the opportunity to identify and patch vulnerabilities before they turn into breaches. No technology or application will ever be fully secure, and adding more features introduces new risks. Ongoing application testing can help organizations identify new vulnerabilities.

The report suggests that organizations should strengthen their resiliency by knowing their attack surface and practicing their Incident Response (IR). Various tools can help organizations gain an attacker-informed perspective into their unique risk profile and vulnerabilities, including which vulnerabilities are readily exploitable.

Secondly, having a team in place that’s versed in the right protocols and tools to respond to an incident has been shown to significantly reduce costs and the time to identify and contain a breach. Organizations with high levels of these countermeasures in place incurred US$1.49 million lower data breach costs compared to organizations with low levels or none.

Another recommendation is for organizations to implement network segmentation practices to limit the spread of attacks and the extent of damage they can cause, strengthening overall resiliency and reducing recovery efforts.

The report also recommends that organizations modernize data protection across hybrid cloud. 82% of data breaches in the report involved data stored in cloud environments, and 39% of breaches included data that spanned multiple types of environments. The report recommends gaining visibility and control of data spread across hybrid cloud as a top priority for organizations, and should include a focus on strong encryption, data security, and data access policies.

Newer technologies such as data security posture management can help find unknown and sensitive data across the cloud, including structured and unstructured assets within cloud service providers, software as a service (SaaS) properties, and data lakes. This can help identify and mitigate vulnerabilities in underlying data store configurations, entitlements, and data flows.

Organizations also need to deploy strong identity and access management (IAM) strategies that include technologies such as multifactor authentication (MFA), with particular focus on managing privileged user accounts that have an elevated access level.

There are plenty of evidence-based suggestions in the Cost of a Data Breach Report that most sites would be wise to implement before a data breach happens to them (again) because they need to realize that a breach can definitely happen to them.

No comments: