Protecting against a data breach is increasingly a complex problem for organizations — and the average cost of a data breach continues to rise, up to an average of $3.92 million in 2019 for those surveyed, according to the “Cost of a Data Breach Report,” conducted by the Ponemon Institute on behalf of IBM Security. Although protection is an essential part of cybersecurity, the odds of a breach are also rising. This can put pressure on security teams to have a plan to respond to what seems like an inevitability: that a breach will occur.

See the 2020 Cost of a Data Breach report and calculator

Despite the obvious concern organizations may have about these trends, among the more encouraging findings from the “Cost of a Data Breach Report” is the effectiveness of incident response in mitigating data breach costs. What you do after a cyber incident can really make a difference in the cost.

What Factors Contribute to the Cost of a Data Breach?

The “Cost of a Data Breach Report” examined hundreds of factors that influenced the cost of a data breach at more than 500 organizations over a period of 12 months in 2018 and 2019, from detection and notification costs to regulatory fines, legal costs and lost business. The beauty of this research is that it allows us to understand how these different factors can influence costs, for better or worse.

We say on my team — the IBM X-Force Incident Response and Intelligence Services (IRIS) team — that a rapid response to a cyber incident and the ability to limit the impact is what makes the difference between a contained disaster and a far-reaching catastrophe. In other words, time is money. The data seems to back that up.

Among the leading contributors to the cost of the data breaches studied in the 2019 report was the time to detect and contain a breach, what’s known as the data breach life cycle. The average data breach life cycle in the 2019 study was 279 days, but organizations in the study that contained a breach in less than 200 days experienced costs that were, on average, roughly $1.2 million less than organizations that took more than 200 days to contain a breach ($3.34 million versus $4.56 million), for a difference of 37 percent.

Factors studied that contributed to this cost difference included the type of breach; the most expensive breaches were those that were caused by malicious attackers, whether outside actors or malicious insiders, and breaches caused by malicious attackers took much longer to identify and contain (314 days on average versus the overall average of 279 days). This could be because the longer it takes to identify and contain a breach, the more time an attacker could have to move around in your systems and cause damage, and the more costly it would be to investigate the breach and clean up the damage.

This is especially true in the case of destructive attacks, including wiper ransomware such as the multibillion-dollar epidemic of NotPetya in 2017, or the more recent LockerGoga attacks. According to a recent X-Force IRIS report on destructive attacks, where we looked at costs to IRIS clients that have been hit by these attacks, large multinational companies faced an average cost of $239 million — or 61 times the average cost of a data breach.

Incident Response Teams and Testing Your Plan

Among a set of 26 factors examined in the 2019 study, two of the most impactful ways to mitigate the total cost of a data breach involve incident response. The formation of an incident response team was the top cost-mitigating factor, reducing the average total cost of a data breach by $360,000 (for an adjusted average cost of $3.56 million versus the overall average of $3.92 million). Following close behind, extensive tests of an incident response plan reduced the average total cost by $320,000 (for an adjusted cost of $3.6 million).

Most impressive of all, the study found that surveyed organizations that both had an incident response team and tested their incident response plan had an average total cost of $3.51 million, while surveyed organizations that did not have an incident response team and did not test their incident response plan had an average total cost of $4.74 million.

That’s a cost savings of $1.23 million, a 35 percent reduction. My takeaway from this finding is that having an incident response team and an incident response plan is the baseline. To really cut the time to respond to and contain a breach — and therefore cut the total cost of a breach — you should run through your playbook over and over again until it becomes ingrained in your team’s muscle memory.

Steps to Help Improve Incident Response and Minimize Financial Impacts

Prevention is not always possible, so preparation and planning are essential to help minimize the fallout of a cyber incident. I suggest the following five ways to help cut down on your response time and minimize the financial and reputational damages of a data breach.

1. Put Your Incident Response Team and Plan to the Test

The effectiveness of your incident response depends on building your plan, testing it, finding what’s not effective and adjusting your plan accordingly. But your plan is only as good as the people executing it. Teams need to practice leadership, communication and decision-making skills to handle the toughest situations. Tabletop exercises help, but teams might have more success building their emotional and physical response capabilities in a simulated environment, such as a cyber range.

2. Invest in Technologies to Help Improve Your Ability to Rapidly Detect and Contain a Breach

As much as possible, you should automate your response through technologies, including enterprise detection and response tools that can assist with automating orchestration. The “Cost of a Data Breach Report” found that security automation helped reduce the cost of a data breach for organizations surveyed by as much as 50 percent. Organizations with security automation fully deployed had an average data breach cost of $2.65 million in 2019, whereas organizations without security automation deployed had an average cost of $5.16 million.

3. Use Threat Intelligence to Understand Risks and Optimize Security

In the 2019 “Cost of a Data Breach Report,” 51 percent of breaches for surveyed organizations were caused by malicious or criminal attacks. Threat intelligence can help provide insights into the different motivations, capabilities and intentions of attackers, allowing you to understand your risks and make more efficient security investments.

4. Back Up Your Systems and Data and Have a Business Continuity Plan

Lost business was the biggest of four major cost categories studied in the 2019 data breach report — more expensive than detection and escalation, notification, and post-response costs such as legal costs. You don’t want to have the cost of a breach amplified by shutting down systems or having destructive attacks wipe out data or systems that are costly to recover. Organizations should store backups offline, inaccessible from primary systems, so attackers can’t compromise them.

5. When All Else Fails, Call the Experts

If your incident response team is underprepared or overwhelmed, consider evaluating incident response service providers who can step into the fray to help you handle a complex cyber incident such as a destructive attack. Incident response leaders can help you not only contain the attack, but also remediate and recover to help get your business running again. There’s no shame in asking for help when you really need it, especially considering the cost of a botched response.

Register to access the Cost of a Data Breach Report

More from Incident Response

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Breaking Down a Cyberattack, One Kill Chain Step at a Time

In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). Organizations…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…

What is a Red Teamer? All You Need to Know

A red teamer is a cybersecurity professional that works to help companies improve IT security frameworks by attacking and undermining those same frameworks, often without notice. The term “red teaming” is often used interchangeably with penetration testing. While the terms are similar, however, there are key distinctions. First and foremost is the lack of notice from red teams. Pen testing may be scheduled in advance to assess the ability of specific security measures to handle a simulated attack; red team…