Man walking through a colorful subway

How to go beyond a preventive mindset to manage cybersecurity risk

Businesses increasingly realize they can reduce risk and damages by prioritizing rapid detection of threats and effective incident response.

The primary strategy for defending an organization from the risks of cyberattacks has long been prevention — stopping attacks before they are successful. But the growing sophistication of cybercriminals has made it very difficult to completely stop breaches from occurring. One breach that is discovered too late can cost millions of dollars, cripple operations and even put companies out of business.

Hackers hoping to exploit fears amid the COVID-19 crisis are increasingly resorting to phishing and ransomware attacks. The International Criminal Police Organization (INTERPOL) has detected a significant increase in ransomware attacks against hospitals and other health care providers around the world.1 Cyber criminals are also increasingly targeting mobile devices, trend that is likely to increase as remote workers turn to their phones to conduct business. More than half of IT leaders surveyed in 2020 said mobile devices are very or extremely challenging to defend.2

Prevention alone isn’t enough

Even the best defense isn’t criminal proof, with attacks becoming increasingly sophisticated. Criminals are even weaponizing artificial intelligence (AI). For example, hackers can create intelligent malware programs that learn from thwarted attacks and create modifications that make subsequent attacks successful.

Eighty percent of IT professionals surveyed in 2020 said prevention is the most difficult aspect of cybersecurity due to insufficient technology, lack of in-house expertise and the time needed to identify threats.3 More than three-quarters of respondents agreed with this statement: “My organization focuses on the detection of cyberattacks because prevention is perceived to be too difficult to achieve.”

While prevention will continue to be important in cybersecurity, organizations are increasingly realizing they can reduce risk and damages by prioritizing rapid detection of threats and effective incident response.

Delay in detection and response has been a persistent issue

Cybersecurity professionals have a limited window of time to detect and contain attacks before they cause serious harm to an organization. Delays in responding to breaches give attackers time to steal or manipulate data, greatly increasing damages. Even larger costs can be incurred from litigation, regulatory penalties and reputation loss.

A 2019 Verizon investigation into thousands of security incidents found more than half of all breaches took months or longer to discover.4 For example, payment card compromises aren’t usually discovered until the stolen data is used, which typically takes weeks or months. The mean time for identifying and containing a breach caused by a malicious attack was 314 days, according to a 2019 report.5

Significant false positives are a main cause of delayed detection and response

A primary reason breaches aren’t detected sooner is the sheer volume of security alerts that overwhelms security professionals. A global Cisco survey showed that 17% of organizations receive at least 100,000 or more daily alerts in 2020, compared to 11% in 2017. This led to roughly half of real threats being ignored.2

Security information and event management (SIEM) software is designed to help analysts by providing real-time monitoring of threats. But it’s estimated that analysts spend roughly one quarter of their time looking into false positives (mislabeled alerts that aren’t actually threats) generated from these tools.6 A 2019 survey of cybersecurity professionals found it takes more than 10 minutes to investigate each alert, with roughly half eventually found to be false positives.7 As a result, analysts spend most of their time managing alerts rather than containing or remediating threats. More and more SIEM providers are incorporating AI technologies to help reduce false positives.

Intelligent automation becomes essential for rapid detection and response

As the volume of threats rises, more organizations are combining automation with AI to detect and respond to attacks more efficiently. Organizations without security automation suffered almost double the costs from a breach than organizations with fully deployed automation in 2019.5 And 75% of security professionals surveyed in 2019 said automation is highly valuable to achieving cyber resilience.8

AI tools can be programmed to block threats automatically or outmaneuver them by sending false signals as they gather information. When a new type of malware appears, AI tools compare it to previous forms in their databases and decide if it should be automatically blocked. Machine learning can evolve to recognize ransomware before it encrypts data and can determine whether a website navigates to a malicious domain.

The most effective type of threat detection incorporates both AI and humans. Organizations using AI say they’ve reduced the time taken to detect threats and breaches by 12%.9 AI can also improve user authentication and password protection.

Using SOAR to manage alerts and improve response

Many organizations are now turning to security orchestration, automation and response (SOAR), technologies that use data from SIEM and other security systems to standardize and shorten incident response processes. SOAR combines orchestration, automation, threat intelligence, and human and machine learning to detect and contain threats.

SOAR analyzes each security incident and decides whether to act automatically or request human intervention. For example, SOAR can isolate or shut down a system instantly if malicious activity is detected. It also can slow the spread of malware by automating actions like forensic data gathering and running vulnerability scans. Automated orchestrated incident response saves an average of US$1.5 million in data breach costs, according to IBM.10

Outsourcing threat detection and incident response

Small to midsize organizations may be unable to invest in the technology or human resources needed to quickly detect and respond to security incidents. Small businesses, public sector agencies and health care providers have been increasingly targeted by cybercriminals who are finding greater success with soft, data-rich targets.

At minimum, all organizations should be vigilant about installing and continually updating antivirus and anti-malware programs. Having a sufficient number of well-trained security professionals is also critical for quickly detecting threats and preventing unauthorized access.

Many organizations are finding outsourcing security to be their best solution, but care must be taken to choose a reliable vendor. Roughly one-third of organizations surveyed by Cisco in 2020 outsourced incident response services, with more than half citing “more timely response to incidents” as the main reason why.2

Managed detection response (MDR) is becoming an increasingly popular option, especially for smaller organizations. MDR is a service that detects malware and malicious activity, and assists organizations in responding rapidly to eliminate those threats. MDR typically combines technology with outsourced analysts. Gartner predicts that by 2024, a quarter of organizations will be using MDR services, up from just 5% in 2019.11

Download the full report


Organizations should understand that managing cyber risk requires a strategy that extends beyond prevention. A proactive stance on cybersecurity is a core tenet of the EY Security by Design approach, which looks beyond protection to manage and mitigate security risks.

About this article