Data breach

detection time:

How to minimize

your mean time

to detect a breach

Author: Shane Schick

There's never a good time to experience a data breach, but reducing the mean time to detect a breach can make all the difference in how effectively your organization recovers from one.

From a purely financial perspective, for example, time is literally money. The impact of downtime or the value of stolen information means the period between when a breach happens and when it's discovered could cost your organization thousands of dollars.

According to Verizon's 2021 Data Breach Investigations Report (DBIR), for example, the median cost for security incidents was close to $22,000. This may be because 61% of breaches involved credential data, which gives cyber criminals access to highly valuable information. By reducing the time that those criminals can act, these costs can also be minimized.

Average time to detect a cyber attack

Overall, the DBIR—which is based on an analysis of more than 79,000 breaches in 88 countries—showed approximately 60% of incidents were discovered within days. However, 20% could take months or more before organizations realized something was amiss.

The latter category included incidents involving the misuse of system privileges or system intrusion, the report added.

A longer mean time to detect a breach, or MTTD, means more opportunity for cyber criminals to steal data, extend their reach across the network or achieve persistence and escalate their privileges. That's why your organization shouldn't just try to shorten the mean time to detect a breach, but the mean time to recovery (MTTR) as well.

MTTR is generally defined as the period between detection and when the attack has been neutralized and any affected systems are fully restored. Your organization may have different notions of acceptable MTTR depending on your industry and the data you manage, but, optimally, recovery should happen in a matter of hours at most.

Improving mean time to detect a breach and recovery

Organizations that achieve an optimal average time to detect a breach tend to have invested in a dedicated chief information security officer (CISO) as well as comprehensive security training for employees.

This should be part of a larger strategy, whereby your organization develops a clear understanding of its cyber security risk profile, including any key vulnerabilities or touch points that could be susceptible to an attack. Working with a third party to conduct an assessment can help ensure nothing gets missed here.

Once the assessment is completed, you should communicate the potential consequences of a data breach to your organization's leadership. That will ensure there's understanding about the relationship between strong cyber defenses and key business outcomes.

From there, your organization should establish security policies that support a goal of a shorter average time to detect a cyber attack and MTTR. This in turn will inform a proactive incident response plan, including the technologies needed to detect incidents early on, who should receive alerts and how resolution should be pursued.

These details will lead to security training that's relevant and actionable for all employees, many of whom could be on the front lines when a cyber attack takes place.

The benefit of a managed services partner

Consider that, in part as a response to the pandemic, more organizations have embraced remote work models than ever before. And according to Verizon's 2021 Mobile Security Index, 78% of those surveyed said they expect working from home to remain even once the pandemic is no longer an issue.

But remote work can come with additional security challenges. As the DBIR pointed out, phishing and ransomware attacks on remote workers were up 11% and 6%, respectively. Remote work also may involve using smartphones and tablets, and the Mobile Security Index report noted that 40% of those surveyed said mobile devices represent the organization's biggest security risk. And more than half, or 53%, said the consequences of a data breach they've suffered were major.

Working with a managed service provider offers an additional layer of expertise and resources to reduce these challenges for your organization. This comes through the experience gained from working with a variety of different customers as well as extensive training in how to optimize mean time to detect a breach and MTTR.

Learn more about how managed service providers can assist with data breach investigations and an effective recovery.