The first step is to understand the lifecycle of a data breach, which can cause not only data loss but also system downtime as well as reputational and financial damage.
" Having strong defensive measures in place and an appropriate budget for cybersecurity will help to prevent potential attacks."
The lifecycle of a data breach will vary depending on the type of the attack, existing cybersecurity measures in place, the size of the organisation and network environment, however it is typically split into five different stages, outlined below.
Despite the possible variations, a recent report by IBM reported the average global data breach lifecycle was 287 days in 2021. This means many breaches go unnoticed for months, with 212 days between the breach and its identification and containment. For Australia specifically, the length of time was even longer, with an average lifecycle of 311 days.
According to Mimecast’s State of Email Security report 2022, 77 per cent of Australian companies were impacted by a ransomware attack in 2021, up from 64 per cent the previous year, and 89 per cent of companies are reported to be bracing against the potential fallout from email-borne attacks.
The increase of hybrid and remote working since the pandemic has also increased the chances of longer-tail attacks, with organisations that have over half of their staff working remotely taking roughly eight weeks longer to resolve a breach.
The five stages of a breach
- Research: Some attack methods by cyber attackers, such as bulk Business Email Compromise (BEC) campaigns, do not research each individual organisation they are targeting, however the majority of damaging attacks will start with sophisticated research and observation. For example, attackers often use social media, particularly LinkedIn, for information about a company to uncover enough details to make a social engineering attack believable. Attackers may then scan for software or hardware vulnerabilities to exploit.
- Method of attack: The next stage, after uncovering all the information needed to attack, is choosing the method, such as using spear-phishing emails or fake web pages. Understanding how hackers work will give organisations a better chance of avoiding potential damages.
- Attack begins: Once the targets and method of attack are secured, the next stage is making the attack. Most of the time, at this critical moment, nothing will appear to happen and the attempt may go unnoticed, however the patient attackers will wait for one mistake that finally lets them into systems or hosts and allow them to exfiltrate data from databases, file systems or even productivity files that contain sensitive information.
- Exploitation: Following the attack, once an entry point is secured, the attacker will aim to retrieve as much data as possible. Stolen credentials and malware may allow further access to other systems. While some will act fast, many hackers are prepared to play the long game, acting quietly in the background without altering operational systems to convince analysts that nothing is amiss.
- Exporting assets: At the final stage, successful attackers may be able to prevent users using critical functions, impersonate employees, steal confidential data and potentially attack partner organisations. It is often the case the first time the organisation becomes aware of the attack is when the data has appeared for sale or on the dark web or, most concerning yet very commonly, when the ransom demand is sent to the organisation.
Defensive measures for organisations to employ
Having strong defensive measures in place and an appropriate budget for cybersecurity will help to prevent potential attacks. While spotting an attack between the first and second stage is a win, the overall goal should be to achieve strong cyber resilience.
A strong cybersecurity posture will make each stage identified above harder for attackers to be successful. Methods such as using data discovery tools to identify risky posts, ensuring software and hardware are patched, using threat intelligence to identify risk, and using zero-trust measures will all help to secure a well-built cybersecurity posture.
It’s also important for employees to take responsibility, as cyber is becoming a companywide issue. According to Mimecast research, 8 out of 10 Australian respondents believe their company is at risk due to inadvertent data leaks by careless or negligent employees.
With this in mind, it is critical to have security awareness training in place regularly for all employees, particularly noting the dangers of oversharing and reinforcing social media guidelines.
Garett O'Hara is APAC Field CTO at Mimecast