Protecting against a data breach is increasingly a complex problem for organizations — and the average cost of a data breach continues to rise, up to an average of $3.92 million in 2019 for those surveyed, according to the “Cost of a Data Breach Report,” conducted by the Ponemon Institute on behalf of IBM Security. Although protection is an essential part of cybersecurity, the odds of a breach are also rising. This can put pressure on security teams to have a plan to respond to what seems like an inevitability: that a breach will occur.

See the 2020 Cost of a Data Breach report and calculator

Despite the obvious concern organizations may have about these trends, among the more encouraging findings from the “Cost of a Data Breach Report” is the effectiveness of incident response in mitigating data breach costs. What you do after a cyber incident can really make a difference in the cost.

What Factors Contribute to the Cost of a Data Breach?

The “Cost of a Data Breach Report” examined hundreds of factors that influenced the cost of a data breach at more than 500 organizations over a period of 12 months in 2018 and 2019, from detection and notification costs to regulatory fines, legal costs and lost business. The beauty of this research is that it allows us to understand how these different factors can influence costs, for better or worse.

We say on my team — the IBM X-Force Incident Response and Intelligence Services (IRIS) team — that a rapid response to a cyber incident and the ability to limit the impact is what makes the difference between a contained disaster and a far-reaching catastrophe. In other words, time is money. The data seems to back that up.

Among the leading contributors to the cost of the data breaches studied in the 2019 report was the time to detect and contain a breach, what’s known as the data breach life cycle. The average data breach life cycle in the 2019 study was 279 days, but organizations in the study that contained a breach in less than 200 days experienced costs that were, on average, roughly $1.2 million less than organizations that took more than 200 days to contain a breach ($3.34 million versus $4.56 million), for a difference of 37 percent.

Factors studied that contributed to this cost difference included the type of breach; the most expensive breaches were those that were caused by malicious attackers, whether outside actors or malicious insiders, and breaches caused by malicious attackers took much longer to identify and contain (314 days on average versus the overall average of 279 days). This could be because the longer it takes to identify and contain a breach, the more time an attacker could have to move around in your systems and cause damage, and the more costly it would be to investigate the breach and clean up the damage.

This is especially true in the case of destructive attacks, including wiper ransomware such as the multibillion-dollar epidemic of NotPetya in 2017, or the more recent LockerGoga attacks. According to a recent X-Force IRIS report on destructive attacks, where we looked at costs to IRIS clients that have been hit by these attacks, large multinational companies faced an average cost of $239 million — or 61 times the average cost of a data breach.

Incident Response Teams and Testing Your Plan

Among a set of 26 factors examined in the 2019 study, two of the most impactful ways to mitigate the total cost of a data breach involve incident response. The formation of an incident response team was the top cost-mitigating factor, reducing the average total cost of a data breach by $360,000 (for an adjusted average cost of $3.56 million versus the overall average of $3.92 million). Following close behind, extensive tests of an incident response plan reduced the average total cost by $320,000 (for an adjusted cost of $3.6 million).

Most impressive of all, the study found that surveyed organizations that both had an incident response team and tested their incident response plan had an average total cost of $3.51 million, while surveyed organizations that did not have an incident response team and did not test their incident response plan had an average total cost of $4.74 million.

That’s a cost savings of $1.23 million, a 35 percent reduction. My takeaway from this finding is that having an incident response team and an incident response plan is the baseline. To really cut the time to respond to and contain a breach — and therefore cut the total cost of a breach — you should run through your playbook over and over again until it becomes ingrained in your team’s muscle memory.

Steps to Help Improve Incident Response and Minimize Financial Impacts

Prevention is not always possible, so preparation and planning are essential to help minimize the fallout of a cyber incident. I suggest the following five ways to help cut down on your response time and minimize the financial and reputational damages of a data breach.

1. Put Your Incident Response Team and Plan to the Test

The effectiveness of your incident response depends on building your plan, testing it, finding what’s not effective and adjusting your plan accordingly. But your plan is only as good as the people executing it. Teams need to practice leadership, communication and decision-making skills to handle the toughest situations. Tabletop exercises help, but teams might have more success building their emotional and physical response capabilities in a simulated environment, such as a cyber range.

2. Invest in Technologies to Help Improve Your Ability to Rapidly Detect and Contain a Breach

As much as possible, you should automate your response through technologies, including enterprise detection and response tools that can assist with automating orchestration. The “Cost of a Data Breach Report” found that security automation helped reduce the cost of a data breach for organizations surveyed by as much as 50 percent. Organizations with security automation fully deployed had an average data breach cost of $2.65 million in 2019, whereas organizations without security automation deployed had an average cost of $5.16 million.

3. Use Threat Intelligence to Understand Risks and Optimize Security

In the 2019 “Cost of a Data Breach Report,” 51 percent of breaches for surveyed organizations were caused by malicious or criminal attacks. Threat intelligence can help provide insights into the different motivations, capabilities and intentions of attackers, allowing you to understand your risks and make more efficient security investments.

4. Back Up Your Systems and Data and Have a Business Continuity Plan

Lost business was the biggest of four major cost categories studied in the 2019 data breach report — more expensive than detection and escalation, notification, and post-response costs such as legal costs. You don’t want to have the cost of a breach amplified by shutting down systems or having destructive attacks wipe out data or systems that are costly to recover. Organizations should store backups offline, inaccessible from primary systems, so attackers can’t compromise them.

5. When All Else Fails, Call the Experts

If your incident response team is underprepared or overwhelmed, consider evaluating incident response service providers who can step into the fray to help you handle a complex cyber incident such as a destructive attack. Incident response leaders can help you not only contain the attack, but also remediate and recover to help get your business running again. There’s no shame in asking for help when you really need it, especially considering the cost of a botched response.

Register to access the Cost of a Data Breach Report

More from Incident Response

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

PR vs cybersecurity teams: Handling disagreements in a crisis

4 min read - Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do. When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication. Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today