Businesses taking more than 100 days to contain data breaches, finds study

Out-Law News | 09 Jun 2015 | 12:05 pm | 1 min. read

Businesses take more than 100 days on average to contain a data breach, a new study has found.

In its global security report for 2015 information security provider Trustwave said it takes businesses 86 days on average to detect a data breach and 111 days on average to contain the breach from the date of intrusion.

Trustwave's report was based on 574 data breach cases it investigated last year. It said that businesses that spot data breaches themselves contain those breaches faster than where they are told about the intrusions by people or bodies external to the organisation, such as customers, regulators or law enforcement. Breaches were not detected by victim organisations in 81% of the cases.

"Victims that don’t detect the compromise themselves don’t become aware of a breach until later," the report said. "As a result, they simply cannot respond to contain it as quickly as victims that detect the breach themselves. So it stands to reason that victims that didn’t detect the breach themselves endured incidents nearly a month longer in terms of the median in 2014. Breaches detected by an external party lasted from one to 1,692 days from intrusion to containment, with a median of 154 days (27 days more than in 2013)."

Trustwave said that 43% of the 574 data breach cases it investigated last year concerned retailers. Nearly half of all the investigations (49%) concerned the theft of personal data and payment card information. The report said that 40% of cases involved the loss of data at point-of-sale terminals. However, it said US retailers are more likely to be exposed to data breach cases at POS terminals because of their "lagging adoption" of 'chip and pin' technology that is used by UK banks.

The report also highlighted common security vulnerabilities it had identified in mobile technologies, networks and applications and found that many businesses are still using basic passwords.

"Administrators should consider enforcing a length of at least 10 characters," Trustwave said. "As proof, passwords with eight characters, for example, can be cracked within a day using brute-force techniques with technology easily available to attackers. We estimate that the same techniques and technology would crack a 10-character password in 591 days (19.5 months)."