Kaspersky Report Finds More than 50% of Incident Response Requests Occur After Damage from a Cyber Attack is Complete

Thursday, August 29, 2019

Company: Kaspersky Labs Inc

Woburn, MA – August 29, 2019 – According to new research from Kaspersky, roughly 56% of Incident Response (IR) requests processed by security experts in 2018 occurred after the affected organization experienced an attack that had tangible consequences such as unauthorized money transfers, workstations encrypted by ransomware and service unavailability. Alternatively, the remaining 44% of requests were processed after detection of an attack during an early stage of infection saving organizations from more severe malicious activity. This research highlights the importance of utilizing incident response as a tool for not only investigating an attack after it happens, but also catching an attack during an earlier stage to prevent additional damage.

In 2018, 22% of IR cases were initiated after detection of potential malicious activity in the network, and an additional 22% were initiated after a malicious file was found in the network. Without any other signs of a breach, both cases may suggest that there is an ongoing attack. However, not every corporate security team may be able to identify if automated security tools have already detected and stopped malicious activity, or these were just the beginning of a larger, invisible malicious operation in the network and external specialists are needed.

As a result of incorrect assessment, malicious activity evolves into a serious cyberattack with real consequences. In 2018, 26% of investigated “late” cases were caused by infection with ransomware, while 11% of attacks resulted in monetary theft. 8% of “late” cases were a result of detecting spam from a corporate email account, 7% as a result of hooliganism and 4% detection of service unavailability.

“This situation indicates that, in many companies, there is certainly room for improvement of detection methods and incident response procedures,” said Ayman Shaaban, security expert at Kaspersky. “The earlier an organization catches an attack, the smaller the consequences will be. But based on our experience, companies often do not pay proper attention to artifacts of serious attacks, and our incident response team often is being called when it is already too late to prevent damage. On the other hand, we see that many companies have learned how to assess signs of a serious cyberattack in their network and we were able to prevent what could have been more sever incidents. We call on other organizations to consider this as a successful case study.”

Additional findings of the report include:

  • 81% of organizations that provided data for analysis were found to have indicators of malicious activity in their internal network.
  • 34% organizations exhibited signs of an advanced targeted attack.
  • 54.2% of financial organizations were found to be attacked by an advanced persistent threat (APT) group or groups.

Read the full text of the report on

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at

Global Sponsor - KAL
Global Sponsor - Prosegur
Global Sponsor - Cardtronics
Global Sponsor - Euronet Worldwide
Global Sponsor - NCR
Global Sponsor - FIS
Global Sponsor - Diebold Nixdorf
Global Sponsor - DPL
Global Sponsor - Auriga
Global Sponsor - PAI
Become a Global Sponsor
Join the Campaign
Global Sponsors