Protecting against a data breach is increasingly a complex problem for organizations — and the average cost of a data breach continues to rise, up to an average of $3.92 million in 2019 for those surveyed, according to the “Cost of a Data Breach Report,” conducted by the Ponemon Institute on behalf of IBM Security. Although protection is an essential part of cybersecurity, the odds of a breach are also rising. This can put pressure on security teams to have a plan to respond to what seems like an inevitability: that a breach will occur.

See the 2020 Cost of a Data Breach report and calculator

Despite the obvious concern organizations may have about these trends, among the more encouraging findings from the “Cost of a Data Breach Report” is the effectiveness of incident response in mitigating data breach costs. What you do after a cyber incident can really make a difference in the cost.

What Factors Contribute to the Cost of a Data Breach?

The “Cost of a Data Breach Report” examined hundreds of factors that influenced the cost of a data breach at more than 500 organizations over a period of 12 months in 2018 and 2019, from detection and notification costs to regulatory fines, legal costs and lost business. The beauty of this research is that it allows us to understand how these different factors can influence costs, for better or worse.

We say on my team — the IBM X-Force Incident Response and Intelligence Services (IRIS) team — that a rapid response to a cyber incident and the ability to limit the impact is what makes the difference between a contained disaster and a far-reaching catastrophe. In other words, time is money. The data seems to back that up.

Among the leading contributors to the cost of the data breaches studied in the 2019 report was the time to detect and contain a breach, what’s known as the data breach life cycle. The average data breach life cycle in the 2019 study was 279 days, but organizations in the study that contained a breach in less than 200 days experienced costs that were, on average, roughly $1.2 million less than organizations that took more than 200 days to contain a breach ($3.34 million versus $4.56 million), for a difference of 37 percent.

Factors studied that contributed to this cost difference included the type of breach; the most expensive breaches were those that were caused by malicious attackers, whether outside actors or malicious insiders, and breaches caused by malicious attackers took much longer to identify and contain (314 days on average versus the overall average of 279 days). This could be because the longer it takes to identify and contain a breach, the more time an attacker could have to move around in your systems and cause damage, and the more costly it would be to investigate the breach and clean up the damage.

This is especially true in the case of destructive attacks, including wiper ransomware such as the multibillion-dollar epidemic of NotPetya in 2017, or the more recent LockerGoga attacks. According to a recent X-Force IRIS report on destructive attacks, where we looked at costs to IRIS clients that have been hit by these attacks, large multinational companies faced an average cost of $239 million — or 61 times the average cost of a data breach.

Incident Response Teams and Testing Your Plan

Among a set of 26 factors examined in the 2019 study, two of the most impactful ways to mitigate the total cost of a data breach involve incident response. The formation of an incident response team was the top cost-mitigating factor, reducing the average total cost of a data breach by $360,000 (for an adjusted average cost of $3.56 million versus the overall average of $3.92 million). Following close behind, extensive tests of an incident response plan reduced the average total cost by $320,000 (for an adjusted cost of $3.6 million).

Most impressive of all, the study found that surveyed organizations that both had an incident response team and tested their incident response plan had an average total cost of $3.51 million, while surveyed organizations that did not have an incident response team and did not test their incident response plan had an average total cost of $4.74 million.

That’s a cost savings of $1.23 million, a 35 percent reduction. My takeaway from this finding is that having an incident response team and an incident response plan is the baseline. To really cut the time to respond to and contain a breach — and therefore cut the total cost of a breach — you should run through your playbook over and over again until it becomes ingrained in your team’s muscle memory.

Steps to Help Improve Incident Response and Minimize Financial Impacts

Prevention is not always possible, so preparation and planning are essential to help minimize the fallout of a cyber incident. I suggest the following five ways to help cut down on your response time and minimize the financial and reputational damages of a data breach.

1. Put Your Incident Response Team and Plan to the Test

The effectiveness of your incident response depends on building your plan, testing it, finding what’s not effective and adjusting your plan accordingly. But your plan is only as good as the people executing it. Teams need to practice leadership, communication and decision-making skills to handle the toughest situations. Tabletop exercises help, but teams might have more success building their emotional and physical response capabilities in a simulated environment, such as a cyber range.

2. Invest in Technologies to Help Improve Your Ability to Rapidly Detect and Contain a Breach

As much as possible, you should automate your response through technologies, including enterprise detection and response tools that can assist with automating orchestration. The “Cost of a Data Breach Report” found that security automation helped reduce the cost of a data breach for organizations surveyed by as much as 50 percent. Organizations with security automation fully deployed had an average data breach cost of $2.65 million in 2019, whereas organizations without security automation deployed had an average cost of $5.16 million.

3. Use Threat Intelligence to Understand Risks and Optimize Security

In the 2019 “Cost of a Data Breach Report,” 51 percent of breaches for surveyed organizations were caused by malicious or criminal attacks. Threat intelligence can help provide insights into the different motivations, capabilities and intentions of attackers, allowing you to understand your risks and make more efficient security investments.

4. Back Up Your Systems and Data and Have a Business Continuity Plan

Lost business was the biggest of four major cost categories studied in the 2019 data breach report — more expensive than detection and escalation, notification, and post-response costs such as legal costs. You don’t want to have the cost of a breach amplified by shutting down systems or having destructive attacks wipe out data or systems that are costly to recover. Organizations should store backups offline, inaccessible from primary systems, so attackers can’t compromise them.

5. When All Else Fails, Call the Experts

If your incident response team is underprepared or overwhelmed, consider evaluating incident response service providers who can step into the fray to help you handle a complex cyber incident such as a destructive attack. Incident response leaders can help you not only contain the attack, but also remediate and recover to help get your business running again. There’s no shame in asking for help when you really need it, especially considering the cost of a botched response.

Register to access the Cost of a Data Breach Report

More from Incident Response

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today