Response times to incidents can often take a week or even longer.
According to the (ISC)² 2013 Global Information Security Workforce Study, 41 per cent of its 12,000+ respondents said that it can take a week to respond to security incidents, while 28 per cent said that they could respond in a day.
John Colley, managing director of (ISC)2 for EMEA, told SC Magazine that this is something that is very difficult to assess, as businesses are either very good or they do not know. “If you know what is going on you report it, but this is still a significant percentage for a week,” he said.
Speaking at the RSA Conference in San Francisco, Art Gillland, senior vice president and general manager of HP enterprise security products, said that its research shows that the average time to detect a breach is 416 days, while 96 per cent of breaches were identified by a third party and four per cent were detected internally.
Last year's Verizon data breach investigations report (DBIR) found that in 54 per cent of cases, the time to discover an attack was often months, and it was weeks for 29 per cent of companies. Only two per cent of those attacked discovered the breach within a matter of hours. Within larger organisations, 39 per cent discovered in months, 27 per cent in days and 24 per cent in weeks.
Speaking to SC Magazine, Verizon principal Jay Jacobs said that there is a difference between the time to remediate and the discovery of an attack, as remediation is about how fast things can be done. “Mid-sized companies will be best here as they are not too big or too small,” he said.
“When you learn of something new, this is what affects the response time. If you have an extended business then it will not be quick, but it is more about the response of the organisation and the time they take to do a better reflection of their security, threats and environment. If you focus on the time element, then the discovery method is quicker.”
The (ISC)2 report also discovered that 31 per cent of smaller companies (fewer than 500 employees) believe they can remediate in one day and 44 per cent within a week. Very larger companies (10,000 or more employees) said that 28 per cent can remediate in one day, while 29 per cent could remediate within a week. Also, respondents in very large organisations chose 'don't know' to a greater extent (18 per cent) than smaller companies (12 per cent).
Verizon also announced that its DBIR for 2013 will contain reports from 18 partners, a rise from five for last year, including data from computer emergency readiness teams (Certs), auditors and private organisations.
Jacobs said: “We wanted to broaden it and get a perception of everything out there so we could collect and it could be more complex.”
Wade Baker, managing principal of the risk team and principal author of the DBIR, said: “The additional contributing security organisations will enable us to paint an even clearer picture of the threat landscape facing businesses today. This added insight will make a difference in helping organisations around the globe put the right defence in place. Today's cyber landscape remains a tough one to navigate, and unfortunately, we believe it will continue to remain challenging in 2013.”