Data breaches are enormously expensive. According to data from the Ponemon Institute’s 2017 Cost of Data Breach Study, organizations paid $3.62 million on average to recover from security incidents in which sensitive data was compromised. That represents a 10 percent decline from the 2016 results — the first overall decrease in the history of the global study. Nevertheless, organizations that fall victim to cyberattacks face a significant financial impact.
For the third year in a row, the Ponemon study found that having a formal incident response plan in place significantly reduced the cost of a data breach. An incident response plan greatly increases the speed at which a breach can be identified and contained, which has a direct impact on the financial consequences. On average, the cost of a data breach was nearly $1 million lower for organizations that were able to contain a data breach in fewer than 30 days compared to those that took more than 30 days.
The SANS Institute has published a guide to help organizations develop an incident response plan. The first step — preparation — is the most important. It is broken down into several components:
The second step in an incident response plan involves identification of an event as a security incident. This requires gathering data from log files, security systems, and other sources and correlating that data to weed out false positives and negatives. Documentation should begin immediately upon detection of an incident.
Once a potential incident has been identified, the response team will likely need to conduct an investigation to understand what type of event they are confronting. The initial investigation should be conducted as rapidly as possible and involve digital forensic experts at an early stage. Forensic experts can analyze systems in a way that preserves evidence.
Only then can the IT team begin work on the next three steps: containment of the breach to minimize damage, eradication of the malicious content, and recovery of affected systems, applications, and data. As a final step, the response team should complete the documentation and assess the incident for lessons learned.
For more information about incident response, please send us an email at (firstname.lastname@example.org).