Sometimes the challenge with data breaches is to know they ever happened at all.
Take these examples from the 2017 headlines:
| Company | Breach Discovered | Breach Occurred |
| Verifone | January 2017 | mid-2016 |
| Brooks Brothers | May 2017 | April 2016 – March 2017 |
| California Association of Realtors | July 2017 | March – May 2017 |
| Forever 21 | November 2017 | March – October 2017 |
Note the lengthy timeframe from when a breach occured to when it was discovered, months to well over a year.
These examples align with industry data. According to the Ponemon Institute, Cost of a Data Breach Study (2017), breaches involving POS intrusions, privilege misuse (which can involve either internal or external threat actors), or cyber-espionage typically take months or longer, with the average number of days needed to discover a breach being 191.
Organizations just like yours are so heads down, focused on the business of doing business, it’s tough to keep tabs on the access to data, looking for signs of misuse. And yet the bad guys – cyber criminal organizations – are busy devising ways to gain access to your network and to exfiltrate data of value such as credit card data or personally identifiable information.
Put those two together, and you have a recipe for disaster, where organizations become unknowing victims, never realizing they’ve had a data breach until it’s way past too late.
How are Breaches Detected?
Every other method besides internal discovery dominates.
The Verizon Data Breach Investigation Report (2017) note fraud protection, law enforcement, and third-party discovery combined dwarf internal methods nearly three to one. Sadly, third-parties remain the number one method of breach discovery. Take the example of the recent credit card breach at fast food chain Sonic – they found out about their breach from their credit card processor, who noticed unusual activity on cards used for Sonic customer payment.
Given the external nature of the majority of discovery methods, perhaps the question shouldn’t be “How are breaches discovered?”, but instead “Why aren’t beaches discovered internally?”
Getting to Internal Discovery
The simple reason of why internal discovery doesn’t happen more often is IT organizations simply aren’t watching. You know which data is really, really important, so why aren’t you keeping an eye over its’ access?
While it sounds too simple, in reality, it is that simple.
It’s a simple two-step process to put a Data Breach Internal Discovery plan together. At a high level, it looks like this:
- Identify data of value – the easy part is identifying those data sets that are part of a business process. The hard part is the presence of any extraneous copies of that data. But you need to find them all.
- Watch it – Put some kind of access auditing/monitoring in place, assessing whether current access is normal for your business operations. Over time, you can pretty much tell what “normal” access looks like – so, anything outside of that is suspect.
Discovering a Data Breach – the Threat You May Never Know About
Organizations like the ones previously mentioned likely aren’t truly negligent (in the sense they just don’t care about security, etc.) – it’s far more likely they missed patching a vulnerability, or assigned improper permissions that gave external access. And because those things happen – in some cases, far too often – it’s necessary for IT organizations to put a strategy in place that shifts discovery of data breaches to being an internal process, keeping your organization “in the know.”
