Do CIOs Underestimate Cyber Breach Recovery?

A large majority (85%) of CIOs are not taking proactive steps to track down cyber threats, despite a similar number claiming to be under increasing pressure to quickly prevent, detect and respond to security incidents. 

According to a recent report by leading endpoint security specialists Carbon Black, 28% of the 200 UK respondents are ‘not concerned’ about how long it would take to get to the bottom of a breach within their organization, uncovering a worrying disconnect between expectations of threat discovery/response and reality.

Ben Johnson, Chief Security Strategist for Carbon Black believes some of the findings in the report make for confusing reading, raising serious questions about whether CIOs actually have a good understanding of how their security infrastructures operate.

“When you look at these results, something really doesn’t add up. On the one hand, companies are operating from a reactive security posture and tending to symptoms, rather than causes. Yet they still believe they can detect threats much faster than the industry average, even though they are not actively seeking them out.”

Research by the Ponemon Institute has found it takes an average of 258 days to detect a breach and a further 100 to 120 days to remediate the threat following an attack. This is at odds with findings by Carbon Black, with more than a quarter of respondents saying it would take their company less than 14 days to recover, 15% less than a month and 18% less than three months. Also, in the event of a breach, as many as half (52%) stated they were 100% confident they would know what systems and data had been affected and how within 24 hours.

This suggests a significant number of CIOs are either not educated on the realities of dealing with a high-profile cyber breach, or feel their organization has invested enough finances and time in its security infrastructure that they are strong enough to deal with whatever threats might come their way exceptionally quickly – but as we’ve seen over the last few years, this is often not the case.

We just have to look at the time it took for companies like Ebay and Target to detect, remediate and announce recent high-profile breaches to see that recovery timespans of “less than 14 days” are way off the mark. As Quentyn Taylor, Director of Information Security at Canon explains, fully recovering from a significant data breach can be a timelier, more complex process than some business decision makers might think. 

“There are two different timeframes to take into consideration; the time it takes to return to operational business and the time it takes to fully remediate and resolve the incident. These can vary wildly as you may be able to recover relatively quickly, but to resolve the legal issues and to ensure that the incident will not happen again, (depending on your risk appetite) may be considerably longer.” he said.

The report also examines what technologies security teams are implementing, revealing many of the tools organizations are relying on are not up to the challenge of dealing with the new kinds of attacks they are facing. Whilst the use of firewalls, antivirus, encryption and intrusion detection systems were common for the majority of businesses, less than half (44%) have advanced endpoint protection in place.

Similarly, the majority of companies appear to be suffering from a lack of knowledge on what is happening in the wider market, with 89% of respondents admitting more collaboration is needed to communicate contextual information on what threats are out there. 

Speaking to Infosecurity, Chester Wisniewski, Senior Security Advisor at Sophos, explained the important role collaboration has played within the traditional security market over the years, but suggested companies are now finding themselves at a crossroads of uncertainty as they struggle to determine what information is worth sharing and what isn’t.

“If it weren't for this cooperation, hardly anyone would be able to provide reasonable levels of protection at an affordable cost.” he argued. “This gets a little messier when you start looking at ‘next generation’ vendors who see their threat visibility as their primary asset. This is a huge mistake as the information will be shared if it is useful and then you no longer have something worth paying for. Sharing of information is critical, but as threats have advanced we are now at a stage where it is unclear what must be shared to provide value.”

He added:

“The value is in using the data and making sense of it, not collecting more than the other person.”

“I am a huge proponent of information sharing, but only when it isn't noise. As an industry it is my opinion we haven't matured enough to know precisely which information is useful and more importantly actionable to provide to customers.”

What’s Hot on Infosecurity Magazine?