Data Breaches and Incident Response Teams
July 18, 2017 by Bill Rosenthal

What affects the cost of a data breach? As I noted in this blog post a couple weeks ago, the 2017 Cost of Data Breach Study: Global Analysis identified half a dozen contributors:

  • unexpected and unplanned loss of customers (churn rate)
  • number of records lost (the more records lost, the higher the cost)
  • post-breach costs, including the costs of victim notification
  • whether the incident results from an attack or negligence (attacks cost more)
  • time to identify and contain the breach
  • detection and escalation of the incident 

The report, which is sponsored by IBM and performed by the Ponemon Institute, is available here (registration required). Of the half dozen contributors to the cost of a data breach, the last two are the ones that can have the most precise impact. That is to say, if you can reduce the time needed to identify and contain breaches, you can reduce their costs. If you can improve your effectiveness at detecting and escalating incidents of breaches, you can reduce their costs. In fact, the report found that in the presence of an incident response team, the average data breach cost is about 14% less than the average of all data breaches. Given that the average cost of a data breach is $3.62 million, that means that having an incident response team saves more than a half million dollars per breach.

According to the report, the likelihood of your organization incurring a data breach of 10,000 records or more is 27.7% over the next 24 months. (Note that the probability decreases with the number of records lost, which simply means that massive data breaches are less common that smaller ones.) You can do the arithmetic for your organization to see if fielding an incident response team is worth the investment. But I suspect that the first time you have a serious data breach you will either regret not having an incident response team or congratulate yourself on having one. 

If you do not have an incident response team, organize one now. Consider the Logical Operations CyberSec First Responder (CFR-210) program. The CyberSec First Responder: Threat Detection and Response course will teach your first responder team to analyze threats, design secure computing and network environments, proactively defend networks, and respond/investigate cybersecurity incidents. Having a first response team will probably not reduce your risk of being attacked. But the 2017 Cost of Data Breach Study: Global Analysis shows it will dramatically reduce the costs dealing with the breach.

And if you’re part of the U.S. Department of Defense or an organization that contracts for work with the DoD, you have more than cost considerations to worry about. DoD information systems must comply with approved information assurance and risk management controls, as set down in DoD Directive 8570. One of those controls is the certification of the knowledge, ability, and skills of the IT professionals involved. I’m please to say that CFR-210 is fully compliant with DoD Directive 8570. You can read more about our new certification here.