One in Five Breaches Takes Two Weeks to Recover From and That Should Scare You

Absolute Security released research this month that I want to talk about because it is the kind of data that should land differently than it usually does. They polled 750 CISOs in the US and UK and found that over half of respondents had suffered a cyberattack, ransomware infection, or data breach in the past year that took endpoint devices out of action. More than half of those organizations took three to six days to fully recover. A fifth of them took between one and two weeks. And nearly all of them spent between one and five million dollars doing it, with an average of $2.5 million per incident. I will give you a moment with those numbers.

The thing that hits me hardest about this data is the recovery timeline, not because two weeks sounds like a long time abstractly, but because I know what two weeks of endpoint disruption looks like inside an organization. It is not just inconvenient. It is people unable to do their jobs. It is processes that depend on those people halting or degrading. It is leadership making decisions with incomplete information because the systems that normally provide that information are compromised or offline. It is IT teams working around the clock while the rest of the organization watches and waits. Two weeks of that is not a technical problem. It is an existential problem for organizations that cannot absorb that kind of disruption.

The report also flagged something that should be ringing alarm bells for anyone in a security leadership role. The percentage of respondents who said their organization has a cyber-resilience strategy dropped from 90% to 68% in one year. The percentage who said their company prioritizes cyber-resilience over traditional prevention, detection, and response dropped from 83% to 65%. Those are dramatic declines in both the presence of strategy and the prioritization of resilience, in a year when the actual breach numbers were going up. That is moving in the wrong direction at a pace that suggests organizations are either losing confidence in their strategies or abandoning them under resource pressure.

The connection between endpoint resilience and recovery time is one I think about a lot in the context of my own work. Centralizing patch management, standardizing device configurations, implementing MDM platforms, maintaining clean offboarding processes so there are no orphaned endpoints sitting out there waiting to be a liability, all of those things are not just operational best practices. They are the foundation of rapid recovery when something goes wrong. Organizations that have done that work consistently can recover faster because they know exactly what they have, where it is, and how to restore it. Organizations that have not are figuring that out during the incident, which is the most expensive time to figure anything out.

The last thing worth noting is the personal liability component. 59% of the CISOs surveyed said they are concerned that a major security incident causing downtime could lead to job losses, personal liability, and legal penalties. That is a significant share of security leaders operating with that weight on them. It is also a strong argument for making the business case for cyber-resilience investment while everything is still calm, because making it after an incident is both harder and significantly more unpleasant. The time to fix the roof is before it rains. The time to build your resilience strategy is before you need it. I will keep saying this until it sticks.

https://www.infosecurity-magazine.com/news/fifth-breaches-two-weeks-recover/