A single data breach can cost your company a lot of money. How much? Based on the NetDiligence 2015 Cyber Claims Study of actual insurance claims data, we know the average cost of a large company data breach is US$4.8 million.
Want to minimize the cost? Quickly identify the data breach.
How do I know that’s the best way? And, how do you do it quickly?
Here’s the first answer: Check out this data in the IBM/Ponemon 2015 Cost of Data Breach Study. This graph from page 22 of their report shows the relationship between the mean time to identify a data breach and total average cost:
That’s a very clear connection, don’t you think?
OK, so how can you quickly detect a data breach without spending a ton of CapEx for a fancy intrusion detection system and then a ton of OpEx to run the thing?
Here’s how: Have your server administration teams run these two daily checks:
- Discover whenever someone becomes a privileged user by verifying all new accounts that have been added to any administrator or root groups
- Identify data being staged for exfiltration by noticing when large amounts of data suddenly show up in unusual places
With both these checks, the large majority of the work can be automated. The way you do it is use existing server management tools to compare and highlight the major differences between today’s and yesterday’s snapshot of (1) all your admin/root group members and (2) the percentage of free server disk space.
The manual work is tracking down why those changes happened and making sure it’s a legit business reason. This will take some sleuthing at first to know who to call and what constitutes normal changes. But within a month you will settle down into a productive routine.
What other simple techniques have you used to detect data breaches?
Please note: I reserve the right to delete comments that are offensive or off-topic.