Protecting against a data breach is increasingly a complex problem for organizations — and the average cost of a data breach continues to rise, up to an average of $3.92 million in 2019 for those surveyed, according to the “Cost of a Data Breach Report,” conducted by the Ponemon Institute on behalf of IBM Security. Although protection is an essential part of cybersecurity, the odds of a breach are also rising. This can put pressure on security teams to have a plan to respond to what seems like an inevitability: that a breach will occur.

See the 2020 Cost of a Data Breach report and calculator

Despite the obvious concern organizations may have about these trends, among the more encouraging findings from the “Cost of a Data Breach Report” is the effectiveness of incident response in mitigating data breach costs. What you do after a cyber incident can really make a difference in the cost.

What Factors Contribute to the Cost of a Data Breach?

The “Cost of a Data Breach Report” examined hundreds of factors that influenced the cost of a data breach at more than 500 organizations over a period of 12 months in 2018 and 2019, from detection and notification costs to regulatory fines, legal costs and lost business. The beauty of this research is that it allows us to understand how these different factors can influence costs, for better or worse.

We say on my team — the IBM X-Force Incident Response and Intelligence Services (IRIS) team — that a rapid response to a cyber incident and the ability to limit the impact is what makes the difference between a contained disaster and a far-reaching catastrophe. In other words, time is money. The data seems to back that up.

Among the leading contributors to the cost of the data breaches studied in the 2019 report was the time to detect and contain a breach, what’s known as the data breach life cycle. The average data breach life cycle in the 2019 study was 279 days, but organizations in the study that contained a breach in less than 200 days experienced costs that were, on average, roughly $1.2 million less than organizations that took more than 200 days to contain a breach ($3.34 million versus $4.56 million), for a difference of 37 percent.

Factors studied that contributed to this cost difference included the type of breach; the most expensive breaches were those that were caused by malicious attackers, whether outside actors or malicious insiders, and breaches caused by malicious attackers took much longer to identify and contain (314 days on average versus the overall average of 279 days). This could be because the longer it takes to identify and contain a breach, the more time an attacker could have to move around in your systems and cause damage, and the more costly it would be to investigate the breach and clean up the damage.

This is especially true in the case of destructive attacks, including wiper ransomware such as the multibillion-dollar epidemic of NotPetya in 2017, or the more recent LockerGoga attacks. According to a recent X-Force IRIS report on destructive attacks, where we looked at costs to IRIS clients that have been hit by these attacks, large multinational companies faced an average cost of $239 million — or 61 times the average cost of a data breach.

Incident Response Teams and Testing Your Plan

Among a set of 26 factors examined in the 2019 study, two of the most impactful ways to mitigate the total cost of a data breach involve incident response. The formation of an incident response team was the top cost-mitigating factor, reducing the average total cost of a data breach by $360,000 (for an adjusted average cost of $3.56 million versus the overall average of $3.92 million). Following close behind, extensive tests of an incident response plan reduced the average total cost by $320,000 (for an adjusted cost of $3.6 million).

Most impressive of all, the study found that surveyed organizations that both had an incident response team and tested their incident response plan had an average total cost of $3.51 million, while surveyed organizations that did not have an incident response team and did not test their incident response plan had an average total cost of $4.74 million.

That’s a cost savings of $1.23 million, a 35 percent reduction. My takeaway from this finding is that having an incident response team and an incident response plan is the baseline. To really cut the time to respond to and contain a breach — and therefore cut the total cost of a breach — you should run through your playbook over and over again until it becomes ingrained in your team’s muscle memory.

Steps to Help Improve Incident Response and Minimize Financial Impacts

Prevention is not always possible, so preparation and planning are essential to help minimize the fallout of a cyber incident. I suggest the following five ways to help cut down on your response time and minimize the financial and reputational damages of a data breach.

1. Put Your Incident Response Team and Plan to the Test

The effectiveness of your incident response depends on building your plan, testing it, finding what’s not effective and adjusting your plan accordingly. But your plan is only as good as the people executing it. Teams need to practice leadership, communication and decision-making skills to handle the toughest situations. Tabletop exercises help, but teams might have more success building their emotional and physical response capabilities in a simulated environment, such as a cyber range.

2. Invest in Technologies to Help Improve Your Ability to Rapidly Detect and Contain a Breach

As much as possible, you should automate your response through technologies, including enterprise detection and response tools that can assist with automating orchestration. The “Cost of a Data Breach Report” found that security automation helped reduce the cost of a data breach for organizations surveyed by as much as 50 percent. Organizations with security automation fully deployed had an average data breach cost of $2.65 million in 2019, whereas organizations without security automation deployed had an average cost of $5.16 million.

3. Use Threat Intelligence to Understand Risks and Optimize Security

In the 2019 “Cost of a Data Breach Report,” 51 percent of breaches for surveyed organizations were caused by malicious or criminal attacks. Threat intelligence can help provide insights into the different motivations, capabilities and intentions of attackers, allowing you to understand your risks and make more efficient security investments.

4. Back Up Your Systems and Data and Have a Business Continuity Plan

Lost business was the biggest of four major cost categories studied in the 2019 data breach report — more expensive than detection and escalation, notification, and post-response costs such as legal costs. You don’t want to have the cost of a breach amplified by shutting down systems or having destructive attacks wipe out data or systems that are costly to recover. Organizations should store backups offline, inaccessible from primary systems, so attackers can’t compromise them.

5. When All Else Fails, Call the Experts

If your incident response team is underprepared or overwhelmed, consider evaluating incident response service providers who can step into the fray to help you handle a complex cyber incident such as a destructive attack. Incident response leaders can help you not only contain the attack, but also remediate and recover to help get your business running again. There’s no shame in asking for help when you really need it, especially considering the cost of a botched response.

Register to access the Cost of a Data Breach Report

More from Incident Response

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…