Security breaches are part and parcel of running a modern organisation. Research completed by the Clark School at the University of Maryland showed that hackers attack every 39 seconds. With organisations exposed to such a high volume of threats, Incident Response has become just as important, if not more important than threat prevention.
The main reason for the growing importance of Incident Response is that an organisation can’t defend against every threat vector, which means companies need to have the ability to remediate incidents quickly to reduce downtime. However, most companies struggle with incident response, with the average time to detect and contain a data breach being 280 days.
In this article, we're going to look at what Incident Response is, the 6 key phases of the incident response process, why organisations need to outsource it to an external provider, and the pitfalls of managing it internally.
Incident Response is an organisation's reaction to an incident where a device has gone offline and refers to the actions taken to get that infrastructure back online from detecting and remediating a threat to restoring affected devices. A mature Incident Response process can be broken down into several key phases:
The individuals that guide an organisation through each of these phases are categorised as incident responders. Incident responders have an interdisciplinary role that borrows techniques from other cyber security disciplines like cyber security engineers, vulnerability analysts, forensic analysts, penetration testers, risk analysts, and SOC analysts to respond to data breaches on a case-by-case basis.
Want to watch our Incident Response team filter out the noise that surrounds incident response? Click here to watch.
Managing Incident Response internally isn't recommended for most organisations because most companies don't have the resources to maintain a team of cyber security specialists on-demand 24 hours a day. For these companies, it's much more cost-effective to partner with a managed service provider who can provide 24/7/365 access to an experienced team of cyber security professionals.
If you’re unsure about whether you have the resources needed to manage Incident Response in-house, there are some key questions you can ask yourself to assess your need for an Incident Response service:
If the answer to any of the questions above is no, then using an external Incident Response service is vital to make sure that you're fully protected in the event of a security breach. A reputable provider will help you manage security incidents safely from start to finish so that you can remediate disruptions quickly and return to normal operations.
Those companies that do decide to manage Incident Response internally typically confront some common pitfalls that leave them unprepared to resolve security incidents. Some of the main pitfalls organisations face at each stage of the incident response process include:
When combined together, all of these challenges mean that it’s much easier for an organisation to outsource incident response to an experienced managed service provider who already has a battle-tested process in place with professionals who’ve helped hundreds of companies to manage security events.
Defending against modern cyber threats isn't easy, and it's ok if your organisation doesn't have the onsite resources needed to stop the next generation of online threats because most organisations don't. By seeking help from an Incident Response provider, you can give your team peace of mind that your organisation is protected against the latest threats.
That means when there is a breach, you’ll be able to have on-demand access to a team of experts who will tell you exactly what you need to do to protect you and your customer’s information, so that your employees can get back to work safely.
A month ago, Ponemon and IBM released the Cost of a Data Breach 2021 report, an annual study on the cost of data breaches and the modern threat landscape. The report not only highlighted that the cost of data breaches is on the rise but also showed that enterprises are taking longer to contain security incidents.
This article will examine seven key findings from the report and break down some of the most promising solutions that enterprises can use to reduce the costs associated with breach incidents.
1. The average cost of a data breach reaches an all-time high
One of the most shocking findings of the report was the fact that the overall cost of a data breach is increasing. 2021 saw the highest average cost of a data breach in 17 years, with a total of $4.24 million. This figure is the highest in the report’s history, increasing by 10% between 2020-2021.
The top five industries with the highest average total cost were Healthcare ($9.23 million), Financial ($5.72 million), Pharmaceuticals ($5.04 million), Technology ($4.88 million), and Energy ($4.65 million). This is unsurprising, given the complex web of regulations that healthcare and finance organisations need to navigate.
It’s worth noting that the public sector also saw a significant increase in data breach costs, increasing by 78.7% between 2020-2021 from $1.08 million to $1.93 million. The public sector wasn’t alone in seeing cost increases; the retail, media, hospitality, and communications industries also had an increase in average data breach costs.
2. Lost business is the biggest cost of a data breach
When breaking down the factors that contributed to the overall cost of a data breach, the report found that lost business carried the highest cost, accounting for 38% of the average total cost of a data breach for a total of $1.59 million.
The cost accounts for a range of business costs arising from a data breach, from initial business disruption to revenue loss due to downtime, customer loss, customer acquisition, and reputational damage.
The next most significant cost was detection and escalation costs with an average cost of $1.24 million, at 29% of the cost of a data breach. The third most significant cost was post-breach response at 27%, which accounted for $1.14 million.
These findings suggest that enterprises need to invest in more cost-efficient technologies for detecting security incidents while planning and optimising their incident response processes to enhance post-breach response.
3. Remote working environments are struggling to contain data breaches
The report also highlighted that decentralised remote working environments increase the impact of data breaches considerably. In fact, organisations that had more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches than those organisations with 50% or less employees working remotely.
The higher amount of time taken to identify and contain breaches also increased the overall cost of intrusions in remote environments. For instance, the average cost of a data breach was $1.07 million higher in breaches where remote work was a factor in causing the breach.
These findings indicate that organisations offering work from home opportunities to employees need to ensure that security best practices are maintained off-site, or they leave themselves at risk of encountering security incidents that are more difficult to contain.
4. Enterprises are taking longer to identify and contain data breaches
Due to the increasing complexity of modern threats, enterprises are taking longer to identify and contain data breaches. The average time taken for organisations to contain data breaches was 287 days in 2021, 7 days more than in 2020.
Organisations that took longer to identify data breaches also had a higher overall incident cost. Breaches with a lifecycle of over 200 days had an average cost of $4.87 million compared to $3.61 million for breaches with a lifecycle of less than 200 days.
While this is likely due to the fact that the longer it takes to contain an incident, the greater the chance of data loss, downtime, and regulatory liabilities, it also depended heavily on the initial attack vector.
Data breaches caused by compromised credentials were the most difficult to contain, taking an average of 341 days, compared to Business email compromise at 317 days, malicious insiders at 306 days, phishing at 293 days, physical security compromise at 292 days, and social engineering at 290 days.
5. Compromised credentials may be the most common threat but they don’t have the highest average cost
The most frequent initial attack vectors identified in the study were compromised credentials, accounting for 20% of breaches, followed by phishing attempts (17%), cloud misconfiguration (15%), and business email compromise (4%).
Although compromised credentials were involved in the highest proportion of data breaches, they didn’t have the highest average cost. Business email compromise attackers were the initial attack vector with the highest overall cost, with an average cost of $5.01 million.
The other threat vectors with the highest costs included phishing attacks, with an average cost of $4.65 million, followed by malicious insiders at $4.61 million, social engineering at $4.47 million, and compromised credentials at $4.37 million.
6. Incident Response has a big role to play in cutting costs
The research also found that incident response strategies had a significant role to play in reducing costs, with the average cost of a data breach totalling $3.25 million in organisations with incident response capabilities compared to $5.71 million in organisations without an incident response plan in place.
In other words, organisations that implement a balanced incident response plan can expect to cut the cost of a data breach by $2.46 million, meaning that investing in incident response is key for limiting the costs of security incidents going forward.
Part of the reason for the effectiveness in reducing costs is that a well-thought-out incident response plan can decrease the amount of time it takes to contain security incidents and lessens the overall financial impact of a breach.
7. AI, automation and zero-trust offers some protection against data breaches
There were also a number of other solutions that had success in decreasing the overall cost of data breaches. For example, organisations using AI and automation experienced an 80% lower average data breach cost, a total of $2.90 million compared to $6.71 million in organisations without AI or automation.
A key reason for this dramatic decrease in cost is the fact that organisations implementing AI and automation can automate security incident investigations and reduce the number of manual tasks needed to investigate security incidents.
The research also highlighted that zero-trust approaches help reduce the costs of data breaches, though not as dramatically as AI and automation. Organisations in a mature stage of zero-trust deployment had an average cost of a breach of $3.28 million, $1.76 million less than organisations without zero-trust implementations in place.
This suggests that zero-trust approaches are worth investing in alongside AI and automation to shield protected data from unauthorised users and decrease an organisation’s overall data breach liabilities.
As costs increase organisations need to invest to stay protected
As the costs of data breaches continue to spiral and increase as threats become more difficult to contain, organisations need to adapt and invest in technologies and approaches that can optimise their incident prevention and resolution capabilities.
Taking steps such as investing in an incident response plan, implementing AI, automation, and zero-trust is key for decreasing the costs of security incidents in the future and for avoiding the devastation associated with lost business and reputational damage.
(Part I on 'Supporting the National Recovery' can be viewed here, while Part II: 'Sustainable solutions in practice' can be viewed here. Part III, Section B can be viewed here; and Part III, Section C here.)