Cyber breaches are inevitable: Now deal with it

This is a contributed piece from Duncan Brown, Research Director at Pierre Audoin Consultants (PAC).

The consequences of a major cyber-attack include loss of IP, customer service, revenue and reputation. And fines for data protection non-compliance will soar under upcoming EU regulations, with mandatory breach reporting due to be introduced from 2017.

Responding to an incident quickly and effectively is a complex process, involving technical, communications and management staff.

And the world is watching as you respond.

New research from PAC shows that cyber breaches are inevitable. All of the companies we surveyed recently experienced a cyber-attack and most (67%) have been breached within the last year. How are firms changing their behaviour to deal with this new reality?

The first consequence is that cyber security spend is shifting away from traditional prevent and protect approaches e.g., anti-virus, firewalls and DDoS protection, towards detect and respond operations, resulting in a more balanced security budget. Most firms have built their cyber security approach around protecting the perimeter and preventing attacks. But cyber breaches still occur. This means that firms have used up most of the budget that was supposed to stop a breach.

Most firms take between one and six months to discover an attack, meaning that the perpetrator has been inside the organisation long enough to cause damage. The shift in spend towards a detect and respond approach is therefore a reaction to the inevitability of a cyber-attack. There is a re-balancing of cyber security spend to a more appropriate split of operational attention.

Firms are also attempting to reduce the time for breach discovery. New EU regulations demanding mandatory breach notification mean firms are increasingly concerned at the impact of an attack and the way they are handled. There is now an imperative to discover breaches early, and to remediate as quickly as possible.

We discovered that although firms believe they are prepared for an attack, 39% do not have a formalised cyber readiness plan in place. Those that don’t test it frequently will put their business at risk.  

Over the next two years we expect to see increased use of software designed to manage the Incident Response (IR) process, either as an alternative, or supplementary to outsourcing. This will include both the management of IR plans and simulation of response and mitigation activities. We will also see a strengthening of outsourced incident response adoption, as firms plan for breaches by forging relationships with services providers, typically on a retainer basis. This provides the service levels required to fulfil a readiness plan, gives access to vital expertise and skills and keeps costs manageable.

One way of approaching incident response is to mitigate the financial risk by taking out cyber risk insurance. There has been much media attention on the subject in the past year. However, our survey suggests that adoption is lagging behind this interest: only 13% of our respondents said they are using it. A further 43% of firms are considering cyber risk insurance, but 44% have no plans to introduce it.

One surprise in our study is that most firms outsource IR. With most cyber security activities, CISOs prefer to keep operations in house, as they fear a loss of visibility and control. But with incident response, there seems to be a preference towards outsourcing capability. This allows firms to source expertise in a timely fashion without incurring too much cost. The study showed 69% of firms use a combination of internal and external staff, with a further 14% using external resources exclusively.

The nature of incident response dictates that resource use is unpredictable. Although all of the companies surveyed reported a cyber-breach, the timing of a breach is indeterminable. This means that if internal staff are to be used then they are drawn from other security activities, as and when the need arises. But this may impact on-going operations. So it makes sense to use external resources, either retained on standby or occasionally.

Firms are on a journey of maturity in dealing with cyber-attacks. They are moving from a position of vulnerability, where defences are insufficient to prevent a breach. Firms increasingly view third parties as a critical source of advice, support and guidance in doing so. The journey will not be a smooth ride, but firms seem to be heading in the right direction. 


« Pointing the finger of blame over a data breach


London Tech Week: What does the new Russian data law mean? »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?