The 1-10-60 Rule of Cybersecurity Explained

When it comes to cybersecurity breaches, timing is everything. The faster you can detect and solve a digital breach, the safer your brand – and the personal data of your customers – will be overall. Cyber attacks happen on a daily basis, and it’s impossible to prevent all threats or breaches.

But your organization can stay ahead of modern attacks by practicing the 1-10-60 rule of cybersecurity. This rule will help you develop a goal oriented framework around which you can devise a comprehensive, responsive security strategy.

What is the 1-10-60 Rule of Cybersecurity?

Put simply, the 1-10-60 rule of cybersecurity is a goal that your security team should try to achieve through practice, employing modern technologies, and other methods. The rule is meant as a metric to help your team reduce breakout time from all vulnerabilities, including those launched from local endpoints. Ransomware, malware, and other threats require a fast incident response, including threat hunting, remediation, and more.

The 1-10-60 rule of cybersecurity states that it should take your security team:

·         1 minute to detect a digital breach

·         10 minutes to investigate the breach

·         60 minutes to remediate or solve the breach

Let’s take a closer look at each of these elements one by one.

1 Minute to Detect a Breach

The faster you can catch a security incident or security breach, the faster you can take steps to solve it and improve resiliency. That’s why the first step to the 1-10-60 rule of cybersecurity is determining that your business has been compromised in the first place.

Your organization should strive to achieve a one minute average breach detection time from their respondents. In other words, it should take your security team one minute or less to determine that your firewall has fallen or that your brand has been breached by some other digital threat.

In comparison, it takes many hours or weeks for many organizations to detect that they have been attacked or breached in the first place. The longer this takes, the more vulnerable your business will be to long-lasting harm or severe digital theft.

10 Minutes to Investigate the Breach

The second element of the 1-10-60 rule of cybersecurity is taking 10 minutes to investigate the breach. As your security team gathers more information about a digital breach, it will have an easier time containing and/or neutralizing the problem.

Thus, your team needs to spend some time investigating the threat, its attack vector, and its likely goals or purpose (i.e., opening up a bigger breach, stealing customer data, etc.). That said, you should never spend too long on this step; the longer you spend investigating, the less time you have to solve the problem as the attacker continues their work.

In comparison to the average, the 10 minute timeframe is quite rapid. Most organizations take several hours, days, or even weeks to investigate a breach (after taking quite a long time to determine they were attacked at all).

60 Minutes to Fix the Breach

The last part of the 1-10-60 rule of cybersecurity is to spend 60 minutes or less fixing the breach. In other words, you want to patch whatever digital weakness your security stack has in less than an hour.

The reasons are obvious. The faster you fix a breach, the less damage a digital attacker can do to your enterprise. Most organizations take many hours or days to contain digital threats once they have been detected. But if your team can get this down to less than an hour, the odds of a cybersecurity attack being particularly devastating are significantly lowered. It takes even sophisticated hackers lots of time to complete data theft or other malicious objectives.

Combined, the 1-10-60 rule of cybersecurity sets a security response standard and framework that your team can appear to. If your brand can master the 1-10-60 rule of cybersecurity, it’ll be well-equipped to defend itself against all cyber attacks.

Cybercriminals are masters of avoiding endpoint detection and causing data breaches, especially for cloud security nets. Thus, following the 1-10-60 rule of cybersecurity paired with effective allowlisting technology to protect your endpoints is an absolute must.

Why is the 1-10-60 Rule of Cybersecurity Important?

The 1-10-60 rule of cybersecurity is important because it can be difficult for cybersecurity teams to know how to divide their time and energy or how to prioritize their efforts.

For example, upon discovering that a firewall has been breached, a cybersecurity team might initially spend much more time than is necessary investigating the threat. The 1-10-60 rule of cybersecurity solves this problem by telling the team that they only have 10 minutes to do their investigation before they need to move on to at least preliminary patching/security fixes.

Think of the 1-10-60 rule of cybersecurity as an effective guideline to help your team fix security flaws ASAP without compromising the quality of their solutions. Nation-states, the healthcare industry, and all threat intelligence agencies use the positives of the 1-10-60 rule to reduce cyber risk from threat actors and improve antivirus response quality, including with next generation automation strategies and tools.

In a broad sense, the 1-10-60 rule of cybersecurity highlights the importance of speed for security teams. When solving the issue quickly is everything, knowing how quickly the work needs to get done helps brands funnel more money in the cybersecurity and change their training approaches to ensure a more rapid-fire, yet still effective, response to digital intrusions.

How Long Does the Average Breach Response Take?

The 1-10-60 rule of cybersecurity is especially important in the modern digital era, as many organizations take weeks or months to discover that they have been attacked and to affect responses or solutions to those breaches. Based on our own analysis, the average breach response takes well over six months for a standard business to detect an attack, investigate it, and put up a security patch or otherwise prevent the same attack from occurring in the future.

How to Ensure Your Organization Follows the 1-10-60 Rule of Cybersecurity

To make sure that your organization follows the 1-10-60 rule of cybersecurity and achieves its quick standards, you should take several steps at the earliest opportunity.

Employ a Dedicated Security Team

First and foremost, your brand should employ a dedicated security team if it doesn’t already. The security team can be a squad of in-house cybersecurity specialists, such as people who work for your brand who know the ins and outs of your defense net and how best to employ countermeasures in response to the most common digital attacks in your industry.

However, you might be better served by hiring a third-party cybersecurity team, especially if most of your IT infrastructure is located on the cloud. Third-party cybersecurity agencies can provide 24/7 monitoring and responses to all digital intrusions, plus are oftentimes more cost-effective than hiring a dedicated cybersecurity roster with salaries, benefits, etc.

Train Regularly

Regardless of who provides your cybersecurity services, they need to train regularly. If you rely on an in-house cybersecurity team, make sure that they train themselves to improve their response times so they can meet the 1-10-60 rule of cybersecurity standards.

If, for instance, your team hosts a penetration test with an ethical hacker, and they find that it takes them over an hour to thoroughly investigate a breach, your team should then prioritize cutting down that time to 10 minutes or less.

Practice makes perfect, especially when it comes to timing-based methodologies like the 1-10-60 rule of cybersecurity. The more practice your team has under its belt, the better they’ll perform under pressure when a real cyber attack occurs.

Stay Up to Date with Modern Threats

Lastly, your cybersecurity team needs to stay up-to-date and knowledgeable about modern, evolving cyber threats. Cybersecurity is always changing, and the likelihood of one attack or another impacting your business can change by the day.

With that in mind, remember that your cybersecurity responses have to be agile and adaptive. If you spend too much time training for last year’s most common cyber attacks, your team might be unprepared for a new cyber threat that comes knocking at your digital door.

Implement an Effective Endpoint Protection Suite

Following the 1-10-60 rule of cybersecurity will set your organization up for minimal damages in the event of a cyberattack, but how can you prevent it outright? The best way to prevent a cyberattack from occurring in the first place is establishing an effective cybersecurity stack. Allowlisting is fundamental to absolute prevention and should be at the forefront of an cybersecurity stack that wants to prevent digital threats.

Wrap Up

The 1-10-60 rule of cybersecurity is a good security standard you should strive to meet. By achieving and maintaining a timed response of one minute, 10 minutes, and 60 minutes for each stage of cyber attack response, your organization will be much safer and much more responsive in the face of a digital attack.

Stop Responding to Threats.
Prevent Them.

Want to get monthly tips & tricks?

Subscribe to our newsletter to get cybersecurity tips & tricks and stay up to date with the constantly evolving world of cybersecurity.

Related Articles