A new report by cyber security experts FireEye suggests that GDPR may have slashed the amount of time cyber attackers are able to access compromised networks in Europe before they are finally discovered.
FireEye believes the average time from the beginning of a cyber attack to when it is identified (during which attackers may continue to intrude on systems) has fallen substantially. The average attack duration was 177 days before discovery, last year. It is now 54 days, a 70% decrease of intrusion time. The average “dwell time” a cyber attacker was present in a breached system globally in 2011 was 416 days.
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
In its latest study, the FireEye Mandiant M-Trends 2020 Report, the cybersecurity company directly attributes this drop in attack and intrusion time to GDPR.
“In M-Trends 2019, we suggested that a steep rise in median dwell time was likely linked with organisations putting more emphasis on GDPR and increasing focus on security which may have revealed historic compromises.”
Now GDPR is into its second year, FireEye finds:
“Statistics are now generally in line with the global averages, which reflect the improving security posture of organisations and highlight the ongoing challenges organisations face from sophisticated threat actors.”
But the company goes on to warn, even through improvements have been made, “attackers still go undetected in target environments for far too long, remaining stealthy and harder to spot as they pursue their goals.”
To be in compliance with GDPR organisations must report a data breach to their relevant data protection authority within 72 hours of realising the incident. Failure to report within the timescale required or being non-compliant with GDPR when the breach is examined can lead to massive fines. As evidenced by the top fines issued across Europe since the implementation of GDPR.
David Grout, CTO for EMEA at FireEye, told ZDNet:
“GDPR pushed organisations to implement new policies, reviews and a new focus to get better at detection.”
Grout believes that GDPR helped to get cybersecurity attention at board level, and not just within IT teams, he says:
“The buzz around the topic leading up to the GDPR deadline helped to get it in front of senior execs outside of the IT team. Many of them saw the importance of GDPR compliance and they supported measures to improve defences and breach identification.”
The influence of GDPR is also felt world-wide, companies outside of Europe must comply if they do business inside of Europe, and other regions are looking to create equivalent legislation. FireEye also found the median dwell time globally has fallen from 78 days to 56 days.
Despite the averages, worryingly, FireEye found that one in ten of its investigations see cyber attacks that intrude on an organisations network for more than two years. Grout says:
“Some of them are being targeted by highly skilled APT [Advanced Persistent Threat] groups that are able to hide themselves for a long time after the initial breach.”
The report found one common vulnerability exploited by attackers (and one that can be easily fixed) is a failure to use multi-factor authentication (MFA) on corporate networks. Cyber attackers that are able to get their hands-on passwords are able to very simply breach major networks. Attackers are also still taking advantage of known vulnerabilities in software, because software doesn’t get patched with the latest software updates as soon as they are issued.
FireEye’s report concludes, however, with a more positive note:
“Many of the stats in M-Trends 2020 show that both the industry and organisations are getting better at cyber security.”
The research didn’t pinpoint a single reason why there has been improvement but:
“Perhaps more vendors and more awareness are leading to better visibility across the security spectrum. Or organisations are simply investing more in their cyber security programs.”
Here at The Defence Works, we certainly believe that GDPR helped to push cybersecurity and data breaches under the spotlight for businesses. And, not just for beleaguered IT departments. Business leaders and board level executives all became far more aware of the need for data protection and the penalties that could ensue if data isn’t protected. Employees handling data on a day to day basis also became much more aware of data security and protection.
Security awareness is certainly a key to cybersecurity. Many breaches do occur because attackers get through defences and discover software vulnerabilities. However, passwords can be gained because of human errors. And, still a substantial proportion of cyber attacks and breaches begin with a phishing email. Statistics coming out of data protection bodies, such as the Irish Data Protection Commission (DPC) point to as many as 83% of reported data breaches could be due to human error or lack of GDPR awareness.
Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.