Mathew J. Schwartz reports:
If you had to guess what day of the week a hacker will hit your organization, the answer might seem obvious: Hackers prefer to strike on Saturday.
Research conducted by managed security service provider Redscan confirms it. The firm filed a freedom of information request with the U.K.’s privacy watchdog, seeking anonymized information on cyber incidents reported to the regulator.
Read more on EuroInfosec. The delay to detection data were of particular interest to me in light of what Protenus and DataBreaches.net have been tracking in U.S.over the past few years. For their 2018 data, Protenus had reported:
…of the 141 health data breaches for which we have data, it took an average of 255 days for an healthcare organization to discover that it had suffered a breach. This represents an improvement from 2017, when it took an average of 308 days for breach detection. The median discovery time in 2018 was 28 days. There were a wide variety of time frames for discovery, with the shortest discovery time being one day and the longest being 5,605 days (15.36 years).
The median discovery was similar to what Redscan found for legal firms in the UK. Schwartz reports that Redscan’s analysis of reports in the UK found that:
legal firms were the best at spotting breaches, requiring just 25 days on average, compared to financial services firms, which required 37 days, and organizations classified as “general business,” which took 138 days. On average across all three sectors, businesses required 60 days to discover a breach.
According to Redscan’s report, the longest delay in identifying a breach was 1320 days.
Schwartz compares Redscan’s findings to FireEye’s Mandiant M-Trends 2019 report, which found that
for breaches that an organization self-discovered in 2018, attackers had been inside the network for an average of 50.5 days. When an organization was tipped off to the breach from an external source, however, attackers had already been inside the network for an average of 184 days.
But what about after a breach is discovered? How long did it take for entities to notify? Schwartz reports that of the 181 data breaches reviewed by Redscan, it took 21 days from discovery, on average, for the organization to file a breach report to the ICO, although one organization took 142 days. Keep in mind that this was all before GDPR went into effect.
The 21 days to notification in the UK statistic is significantly better than what Protenus and DataBreaches.net found in the health data breaches reported in 2018. Protenus reported:
Of the 227 health data breaches for which we have data, it took an average of 73 days for organizations to report a breach to HHS, the media, or other sources after it was discovered (figure 16). These averages seem to be holding steady as this is the same average the industry experienced in 2017. The median disclosure time was 59 days, just squeaking in under the HHS required 60-day reporting window.
With the GDPR now in effect, it will be interesting to see what happens in the EU — and whether any of it will significantly impact requirements or incident response statistics here. But one thing seems clear: no mattter where you are, if you want to bury the news, disclose it right before the weekend begins.