The global average amount of time to identify and contain a data breach is 280 days: 207 days to identify the breach and another 73 days to contain the attack, according to IBM’s “Cost of a Data Breach Report 2021.” 

Financial institutions fare better, with a 233-day average response time (177 days to identify a breach and an additional 56 days to contain the attack). But that’s still plenty of time for hackers to steal information. 

“The bad guys can do a lot in 177 days,” says Randy Romes, principal at CliftonLarsonAllen LLP. “They’re inside learning your business.” 

Romes discussed cybersecurity threats and how credit unions can prepare and respond during the CUNA Supervisory Committee and Internal Audit Conference. 

According to the IBM report, the average cost of a data breach in the U.S. is $4.24 million. Eighty percent of breaches include records containing personally identifiable information at an average cost of $150 per record. 

Hackers can do a lot in the time it takes organizations to discover and contain an attack, Romes says, such as disabling backups and security systems, obtaining access credentials, stealing sensitive personal data, and creating back doors for entry into the system. 

Ransomware gets the most attention, but Romes says it’s usually coupled with other acts and is simply the most visible part of an attack. 

The first step after a ransomware attack is resuming operations, he adds, but there are also legal and business ramifications that will persist after the breach. 

“Ransomware is what they do as they’re walking out the door,” he says. “They’ve already been in, taken over accounts, and taken our data.” 

Eighty percent of breaches have a root cause in email spear phishing or other social engineering efforts where hackers enter systems when employees click on phishing links in emails or harvest data by guessing passwords. 

“Be prepared,” Romes says. “This is going to happen. How do we turn the 177 days into seven days? You must shorten the time frame to limit your exposure.” 

Organizations must develop an incident response program and plan that includes response procedures and a list of appropriate contacts. To prepare, determine who will handle certain tasks, collect their contact information, determine how they’ll operate once an attack has occurred, and what the cost will be, he says. 

After developing the plan, practice it. Carry out tabletop exercises to walk through incident and response procedures, spear phishing tests, other social engineering tests, and “Red Team” penetration testing, which is more targeted than traditional penetration testing, Romes says. 

One thing is certain. Cyberattacks will happen, Romes says. 

“Not if. When. What are you going to do about it? You must prepare, implement, and practice a plan.”

This article initially appeared in Credit Union Directors Newsletter, which provides strategic insights for policymakers. Subscribe now to the print or PDF version.