A data breach is a costly event. As I noted in my last post, shipping firm Maersk fell victim to a NetPetya malware attack that brought estimated revenue losses of $200 million to $300 million during two weeks of business disruption. That’s many times the $3.62 million average loss sustained in a security incident, according to the Ponemon Institute’s 2017 Cost of Data Breach Study.
It could have been much worse if the company had not had an incident response plan in place. As reported in its interim director’s report for the second quarter of 2017, Maersk was hit by the malware on June 27, and had the attack contained by June 28. By June 29, Maersk Line was able to accept bookings from existing customers. Although the company continued to experience significant disruption from July 3 through July 9, it was able to bring users and applications in 500 locations back online in that short span of time.
An incident response plan is a systematic process for minimizing the downtime, damage and costs of a cyberattack. Key personnel from IT, legal, customer service, public relations and executive management document the procedures they will follow when a security breach occurs. This advance planning can potentially save tens of thousands of dollars in both hard costs and lost business.
The Ponemon study found that having an incident response plan in place reduced the cost of a data breach by more than $19 per lost or stolen record. That’s almost a 15 percent savings compared to the average cost of $141 per lost or stolen record.
The overall cost was nearly $1 million lower on average for organizations that were able to contain a data breach in less than 30 days compared to those that took longer than 30 days. For the third year in a row, the study found that having a formal incident response plan plays a critical role in the speed at which a breach can be identified and contained. Incident response teams help organizations navigate the complicated aspects of containing a data breach to mitigate further losses.
However, the study revealed there’s room for improvement when it comes to the time required to identify and respond to a breach. On average, organizations took more than six months to identify a breach, and more than 66 additional days to contain a breach once discovered.
According to the SANS Institute, there are six steps to an incident response plan:
- Preparation and advance planning
- Identification of true security incidents
- Containment of threats to minimize impact
- Eradication of threats at their origin
- Recovery of systems, applications and data
- Analysis of the incident for process improvement
The plan should include communications procedures and a list of experts who can be called upon for assistance. The plan should be tested at least four times a year, or more frequently if warranted by changes to business processes or the IT environment.
A security breach is inevitable, and many of the latest cyberattacks are designed to not only steal data and extort money but disrupt business as much as possible. Organizations should take a page from the Maersk playbook and develop a formal incident response plan. The very survival of the business could depend on it.
By John Flores, Vice President of Marketing