This is part 2 of a 4-part series examining data breaches, what they cost, why they are increasing in frequency, and what you can do about them.
In our August 23, 2016 post, we broke down the many costs of data breaches, both direct and indirect, that hit organizations in a variety of areas. Now, let’s look at one of the chief culprits driving up the cost of breaches: dwell time.
What is “dwell time”?
Dwell time refers to the length of time a threat actor lingers in a victim’s environment until they are detected. While the dwell time may be a tricky thing to quantify, most cybersecurity researchers estimate that it averages around 150 days. In its seventh annual M-Trends report, Mandiant measured it at 146 days. In the highly publicized Target breach of 2013, where over 100 million customers were exposed — and cost the retailer over $500 million — the actual theft of credit card data went undetected for around two weeks. But the real news was that the attackers lurked inside the company’s network for months before they started ex-filtrating the actual credit card data.
It stands to reason that the longer it takes to detect and contain a data breach, the more damage it can inflict and the costlier it becomes to resolve. As noted in the Ponemon Institute’s 2016 Cost of Data Breaches study, “Time to identify and contain a data breach affects the cost…(and) our study shows the relationship between how quickly an organization can identify and contain data breach incidents and financial consequences.”
What is the correlation between dwell time and breach costs?
If we map back to the direct and indirect costs of data breaches, we can see many ways in which curtailing dwell time can help contain costs. For example, detecting and stopping a breach before a lot of data has been ex-filtrated will reduce the losses from IP theft. If relatively few customer records are compromised, it will cost less to notify, accommodate and settle with customers. Going back to the Target example, the direct cost for replacing the stolen cards is estimated to be around $400 million. Lawsuits over the breach also took their toll financially, including a $67 million settlement with Visa, among others.
If the internal security team detects a breach before much damage is done, the need for external experts to investigate and repair the damage may be reduced if not eliminated. And a company that beats the media to the story about the breach, proactively explaining clearly the measures it has taken to minimize the impact, will likely see less damage to its reputation.
Luckily, there is no need to speculate about the impact of dwell time on the cost of a breach, as there is relevant research on this topic now. Going back to that IBM/Ponemon Institute report 2016 Cost of a Data Breach Study, it reports that when a breach was identified within 100 days, average costs were $5.83 million per breach. However, when a breach went undetected for 100 days or more, the average costs went up to $8.01 million, or nearly 40% higher.
Minimizing dwell time needs to be a priority of security teams. One could argue this is the most important metric for a security incident response team. A survey of the threat landscape makes it abundantly clear that, in spite of a heavy investment in measures intended to prevent intrusion, breaches are bound to occur, and maximizing dwell time is a primary goal of hackers. So not only do organizations need good preventative security measures, but they also need advanced detection and response measures to quell the dwell time when the inevitable breach occurs. Yes, even in the incident response business, truly, time is money.
In our next blog post, we look at that landscape and address the question: Why so many breaches now?