The cost of a data breach has remained consistently high over the previous few years. In its 2020 Cost of a Data Breach Report, for instance, IBM found that the global price tag of a breach averaged $3.86 million. That’s down 1.5% from a year before, but it’s still consistent with previous iterations of the study.

Understanding This Cost in Terms of Dwell Time

Numerous elements factor into the cost of a data breach. One of the most significant among them is dwell time, or the amount of time that elapses between when an attacker first infiltrates an organization’s network and when they’re caught. The more time that attackers have within a compromised network, the greater likelihood that the cost of the security incident will go up.

Ricardo Villadiego, founder and CEO of cybersecurity company Lumu, expanded upon this relationship as it relates to ransomware in an article for Dark Reading:

When attackers are able to remain undetected inside a network, they may spend weeks or months exploring it in-depth, trying to escalate privileges and leverage those permissions to push ransomware onto as many endpoint devices as possible. They can also use this time to identify critical network resources, such as system backups, network segments storing sensitive data, and other key systems that can be used to disseminate their ransomware widely.

Seen this way, dwell time adds what Solutions Review calls “exponential damage” onto a data breach. Greater dwell time potentially increases the parts of the network infiltrated and the number of accounts compromised, thus costing the organization more in time, legal fees, compliance penalties, and identity restoration services for victims. But it also increases the reputational damage when customers find out that the organization suffered a data breach but didn’t notice for months or years. Such a realization could motivate customers to stop doing business with a victimized organization, thereby threatening its profitability and longevity.

All of this is an issue in light of IBM’s 2020 finding that the average time for an organization to contain a breach was 280 days. This data breach “lifecycle” means that attackers on average have nearly a year to explore their victims’ networks undetected.

On the Need to Reduce Dwell Time

Small- to mid-sized businesses (SMBs) and other organizations need to have capabilities in place through which they can respond to an incident quickly and minimize dwell time. The reality is that many organizations don’t have these means, however. In a survey of more than 800 CISOs, for instance, FireEye found that the majority (51%) of respondents didn’t believe they were prepared to, or would respond well in the event of a digital attack or data breach. The security firm also learned that nearly a third (29%) of organizations with incident management plans had not tested or updated them in at least the last 12 months.

That’s a problem. Every company experiences cyber incidents every day, even if they don’t know about them. From random users forgetting their passwords, to true brute force intrusion attempts, cyber incidents are occurring constantly. Deciphering those cyber events that are normal from those that represent a cybersecurity risk needs to be SMBs’ focus. As such, procedures that a company follows in order to identify incidents and respond appropriately make an enormous difference in not only pinpointing issues, but also in providing effective management and control of all responses to minimize negative business impacts.

How to Augment Incident Management

Here are three things in particular that SMBs can do to bolster their incident management efforts:

  • Emphasize documentation: SMBs need to document a defined communication and response process. They can begin by identifying types of events, who should be called first, and what parties need to be involved in responding, including IT support, legal counsel, upper management, etc. Not all events need to involve all parties, but the act of establishing criteria and communication paths allows a response to be more effective in times of crisis. Additionally, SMBs also need to document a response and recovery plan that includes not only communication paths but also what the recovery process will be. They need to figure out when to temporarily transition to a different facility, what facility that might be, what the process for recovery will be, what the expectations for recovery time will be, etc. They then need to test these plans, even at a high level, to vet their effectiveness. During a crisis is not the time to figure out what works and what doesn’t.
  • Create a data backup plan: No recovery process would be complete without a data backup plan. Per TechRepublic, SMBs should consider creating a backup plan for the purpose of setting up a new operating environment in a matter of hours. The success of this plan hinges on having a straightforward playbook that all stakeholders can follow, as well as implementing strong communication measures for coordination. Lastly, organizations should use their data backup plan to ensure they have at least a month’s worth of data from all endpoints on standby to preserve the environment in the event of an event such as a ransomware attack.
  • Invest in detection deviation: One of the ways that SMBs can help to prevent and detect a security incident is via the use of baselining. As noted by the Federal Energy Regulatory Commission, organizations can begin by documenting the normal operations and secure configurations of their network assets. They can then use those baselines to identify and address instances of configuration drift as they arise.

This is a lot for organizations to do on their own. Fortunately, they don’t have to do it alone. They can work with a managed services provider like ITEGRITI that helps organizations to design and implement their own incident response and recovery processes, tools and plans.

SMBs can begin this process by gaining insight into their cybersecurity risk baseline using ITEGRITI’s Cybersecurity Risk Assessment. These risk assessment questions are based on the essential cybersecurity controls that help companies avoid hacks and minimize business impact during cybersecurity events. They will receive a copy of the risk baseline report along with a cybersecurity maturity score based solely on this attestation along with control implications in areas where cybersecurity controls may need improvement.

For more information, complete ITEGRITI’s Cybersecurity Risk Assessment here.