Protecting against a data breach is increasingly a complex problem for organizations — and the average cost of a data breach continues to rise, up to an average of $3.92 million in 2019 for those surveyed, according to the “Cost of a Data Breach Report,” conducted by the Ponemon Institute on behalf of IBM Security. Although protection is an essential part of cybersecurity, the odds of a breach are also rising. This can put pressure on security teams to have a plan to respond to what seems like an inevitability: that a breach will occur.

See the 2020 Cost of a Data Breach report and calculator

Despite the obvious concern organizations may have about these trends, among the more encouraging findings from the “Cost of a Data Breach Report” is the effectiveness of incident response in mitigating data breach costs. What you do after a cyber incident can really make a difference in the cost.

What Factors Contribute to the Cost of a Data Breach?

The “Cost of a Data Breach Report” examined hundreds of factors that influenced the cost of a data breach at more than 500 organizations over a period of 12 months in 2018 and 2019, from detection and notification costs to regulatory fines, legal costs and lost business. The beauty of this research is that it allows us to understand how these different factors can influence costs, for better or worse.

We say on my team — the IBM X-Force Incident Response and Intelligence Services (IRIS) team — that a rapid response to a cyber incident and the ability to limit the impact is what makes the difference between a contained disaster and a far-reaching catastrophe. In other words, time is money. The data seems to back that up.

Among the leading contributors to the cost of the data breaches studied in the 2019 report was the time to detect and contain a breach, what’s known as the data breach life cycle. The average data breach life cycle in the 2019 study was 279 days, but organizations in the study that contained a breach in less than 200 days experienced costs that were, on average, roughly $1.2 million less than organizations that took more than 200 days to contain a breach ($3.34 million versus $4.56 million), for a difference of 37 percent.

Factors studied that contributed to this cost difference included the type of breach; the most expensive breaches were those that were caused by malicious attackers, whether outside actors or malicious insiders, and breaches caused by malicious attackers took much longer to identify and contain (314 days on average versus the overall average of 279 days). This could be because the longer it takes to identify and contain a breach, the more time an attacker could have to move around in your systems and cause damage, and the more costly it would be to investigate the breach and clean up the damage.

This is especially true in the case of destructive attacks, including wiper ransomware such as the multibillion-dollar epidemic of NotPetya in 2017, or the more recent LockerGoga attacks. According to a recent X-Force IRIS report on destructive attacks, where we looked at costs to IRIS clients that have been hit by these attacks, large multinational companies faced an average cost of $239 million — or 61 times the average cost of a data breach.

Incident Response Teams and Testing Your Plan

Among a set of 26 factors examined in the 2019 study, two of the most impactful ways to mitigate the total cost of a data breach involve incident response. The formation of an incident response team was the top cost-mitigating factor, reducing the average total cost of a data breach by $360,000 (for an adjusted average cost of $3.56 million versus the overall average of $3.92 million). Following close behind, extensive tests of an incident response plan reduced the average total cost by $320,000 (for an adjusted cost of $3.6 million).

Most impressive of all, the study found that surveyed organizations that both had an incident response team and tested their incident response plan had an average total cost of $3.51 million, while surveyed organizations that did not have an incident response team and did not test their incident response plan had an average total cost of $4.74 million.

That’s a cost savings of $1.23 million, a 35 percent reduction. My takeaway from this finding is that having an incident response team and an incident response plan is the baseline. To really cut the time to respond to and contain a breach — and therefore cut the total cost of a breach — you should run through your playbook over and over again until it becomes ingrained in your team’s muscle memory.

Steps to Help Improve Incident Response and Minimize Financial Impacts

Prevention is not always possible, so preparation and planning are essential to help minimize the fallout of a cyber incident. I suggest the following five ways to help cut down on your response time and minimize the financial and reputational damages of a data breach.

1. Put Your Incident Response Team and Plan to the Test

The effectiveness of your incident response depends on building your plan, testing it, finding what’s not effective and adjusting your plan accordingly. But your plan is only as good as the people executing it. Teams need to practice leadership, communication and decision-making skills to handle the toughest situations. Tabletop exercises help, but teams might have more success building their emotional and physical response capabilities in a simulated environment, such as a cyber range.

2. Invest in Technologies to Help Improve Your Ability to Rapidly Detect and Contain a Breach

As much as possible, you should automate your response through technologies, including enterprise detection and response tools that can assist with automating orchestration. The “Cost of a Data Breach Report” found that security automation helped reduce the cost of a data breach for organizations surveyed by as much as 50 percent. Organizations with security automation fully deployed had an average data breach cost of $2.65 million in 2019, whereas organizations without security automation deployed had an average cost of $5.16 million.

3. Use Threat Intelligence to Understand Risks and Optimize Security

In the 2019 “Cost of a Data Breach Report,” 51 percent of breaches for surveyed organizations were caused by malicious or criminal attacks. Threat intelligence can help provide insights into the different motivations, capabilities and intentions of attackers, allowing you to understand your risks and make more efficient security investments.

4. Back Up Your Systems and Data and Have a Business Continuity Plan

Lost business was the biggest of four major cost categories studied in the 2019 data breach report — more expensive than detection and escalation, notification, and post-response costs such as legal costs. You don’t want to have the cost of a breach amplified by shutting down systems or having destructive attacks wipe out data or systems that are costly to recover. Organizations should store backups offline, inaccessible from primary systems, so attackers can’t compromise them.

5. When All Else Fails, Call the Experts

If your incident response team is underprepared or overwhelmed, consider evaluating incident response service providers who can step into the fray to help you handle a complex cyber incident such as a destructive attack. Incident response leaders can help you not only contain the attack, but also remediate and recover to help get your business running again. There’s no shame in asking for help when you really need it, especially considering the cost of a botched response.

Register to access the Cost of a Data Breach Report

More from Incident Response

How to Start a Career in Cyber Incident Response

Cyber incident response is one of cybersecurity's most interesting and rewarding careers. It’s an in-demand role, and it pays well. But how do you get started? First, let’s start with the basics. What is Cyber Incident Response? Cyber incident response is the preparation for and practice of identifying, containing and ending cyber attacks. A computer security incident response team (CSIRT) within an organization — ideally including the chief information security officer, security operations center staff, executives and representatives from the…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…