The Problem with Reactive Security
Sep 11, 2023
Breaches have become almost commonplace. Cybersecurity reports show that since 2019, attacks are up as much as 300%, and that costs of breaches are rising as well. The IBM 2023 Cost of a Data Breach Report states the average cost of a data breach reached an all-time high of USD 4.45 million, or $165 per record breached in 2023. Different security reports provide different attack counts, depending on their point of view, but a Duke University study indicates that 75-80% of organizations will at least be attacked on an annual basis, if not breached.
This is important because what it tells us about our ability to manage the cost of our security programs. The true cost of an organization’s security is a combination of the cost of their security program, and the cost of any breaches. You spend planned money to try to meet your security goals – protecting your environment and enabling business processes. You expend unplanned money and resources to manage a breach.
Once a breach is identified, costs of that breach tend to be split fairly evenly across detection and escalation, lost business (current and future), and post-breach response/notifications.
To see the real value of these numbers, it is important to know that the actual cost of a breach is often related to how long an attacker has been in your environment. This is the mean time to identify (MTTI) the breach – often informally called the dwell time. Proactive technologies like MDR (managed detection and response) have reduced dwell times, but according to SecureSky 2023 Mid-Year Azure Compliance Trends, only 38.5% of organizations are using activity monitoring, detection, and response. This problem is compounded by the fact that dwell times have not improved dramatically for organizations who operate in a more reactive manner.
Worse yet, only about 1 in 3 attacks are identified by an organization’s own security controls, since those controls are not fulfilling organizational needs for timely, accurate information about attacks and breaches. The other 2/3 of attacks are being identified by an uninvolved third party (like someone else saw your data online and contacted you), or by the attacker themselves (like an attacker reaching out for a ransomware payment). Not surprisingly, organizations who detect their own breaches show dwell times that are as much as 25% shorter, resulting in costs that can be 18% lower than organizations that learn about the breaches from other sources.
If you are not the one detecting attacks and breaches, you tend to have a more reactive or passive security program. Most security programs have matured in a “watch and respond” mode. You may actually have robust security monitoring in place, including active log gathering and analysis – but this is still reviewing historic data – it is looking at what has already happened, and trying to manage the results of that past event, minimizing the impacts of negative outcomes. According to the SecureSky 2023 Mid-Year Azure Compliance Trends report, only 55% of organizations are using protective controls effectively. Ultimately, a reactive security program can be described by the old idiom “closing the barn door after the horse got out.”
Ultimately, a reactive security program accepts that you will be breached, and that you expect long dwell times and the associated increased loss, as well as more complex and more expensive recovery. There are well-known costs of a breach, like lost revenue, fines, and damage to your reputation. There are also costs that are not as well known, like the impact a breach can have on your ability to meet operational goals if your IT and security teams spend their time chasing breaches. Another one is the stress a breach puts on employees – resulting in extra work, high stress, and increasing turnover of key employees.
A more reactive security program ends up increasing your total cost of security. It also reduces your ability to operate normally and impacting your business goals, since attack and breach response creates unplanned resource costs that could be better dedicated to your business.
SecureSky’s basic philosophy supports a proactive security model, providing you with the security-relevant information you need to operate securely and efficiently. Experience shows that evolving to a proactive security model can actually reduce threats by approximately 60%. Consider that breaches you detect are 18% less expensive than breaches someone else detects for you. Then consider how much more you can save when you are taking additional proactive actions like implementing best of breed controls, threat hunting, active vulnerability management, and active posture management. Finally, proactive controls and active management enables you to detect, respond to, and recover from breaches more effectively, providing better security and lower overall cost on two of the three cost components of a breach (detection and escalation; and post-breach response and notifications).
There is, after all, a reason people still use another idiom that helps describe effective, proactive security programs – “An ounce of prevention is worth a pound of cure.”