Top Three Lessons Learned in Incident Response


Notes from the Field to Make Your Business Stronger

According to IBM’s 2021 Cost of a Data Breach Report, the global average total cost of a data breach has increased by almost 12% since 2015. The global average cost has climbed upwards of $4 million, which correlates with the rising average lifecycle of a breach—from the first detection of the breach to its containment. In 2021, the average lifecycle of a breach was 287 days.

For the seventh year in a row, lost business held the largest—and most costly—share of data breach costs with an average total cost of $1.59 million accounting for 38% of the total cost of a data breach. This category includes business disruption and revenue losses from system downtime, cost of lost customers and acquiring new customers, reputation losses and diminished goodwill.

Is there a way to mitigate the damage from occurring? The answer is yes, if you take the necessary precautions. The same report notes that incident response preparedness was the highest cost-saver for businesses; organizations that had a tested incident response plan saw a 26.4% lower overall cost of breach.

What is Incident Response?

For most businesses, a cybersecurity attack is not a matter of “if,” but “when.” Incident response is how you respond to that attack when it happens. The goal of incident response is not only to get you back up and running after a breach, but to also have the evidence forensically preserved so that a thorough investigation can be performed to assist in determining if there was a data privacy breach.

As the cost of breaches rises, as well as the length of the breach lifecycle, the sophistication levels of attacks are also rising. In order to ensure that you are prepared for a breach and that any breaches are fully contained, the IBM report recommends working with a managed security services provider.

What You Can Learn from Incident Response

One thing is for sure: the worst time to think about your incident response plan is when you are responding to an incident. That’s why we’ve compiled the top three lessons we’ve learned in incident response that can help you proactively plan for the future and make your organization more secure.

Lesson #1: Create a Culture of Cybersecurity Awareness

By now, most people know that they don’t have a Nigerian prince uncle who has bequeathed them $1 million payable only by first sending money to an overseas account. However, technology has made it more and more difficult to discern what is legitimate from what is fraud.

By creating a culture of cybersecurity awareness, your employees will be less likely to fall prey to phishing scams or clever ransomware attacks. The IBM report notes that ransomware was the costliest type of breach, while phishing attacks were the second most frequent type of attack (following compromised credentials).

Even when you and your employees have done everything right, there’s still a chance you will face a breach, as was the case with one of our clients.

Although they had created a culture of cybersecurity awareness, they were still breached due to a compromise occurring with the organization’s third-party IT provider and their use of a Remote Desktop Protocol (RDP) tool to remote into the organization’s servers.

Here’s how to create a culture of cybersecurity in your business.

Lesson #2: Have an Incident Response Plan

When an incident occurs, everything is on fire. However, it is imperative that the business remains up and running. Those businesses that have an Incident Response Plan are better prepared to investigate and remediate by having designated people (employees, management, and third parties), processes, and technology to expediate an incident response investigation.

Organizations that are prepared with an Incident Response Plan benefit from a more efficient and effective investigation which leads to more favorable incident response costs.

The work doesn’t stop after you create your IR plan; in fact, in order to get the most out of your plan, it’s imperative that you continually test your plan. You should remain in continuous contact with your cybersecurity insurance company so that you understand your policy and what you should do when there is an incident. You should be testing your IR plan, playbooks and insurance company contacts with tabletop exercises at least yearly.

One of our financial institution clients experienced the value of their IR plan first hand. When one of their customers alerted them that money had been withdrawn from their account, our client quickly went into incident response. Fortunately for them, they had a robust documented incident response plan in place which included key contacts at their bank, FBI, and incident response team.

Since they had a documented incident response plan, the incident was quickly resolved with help from the incident response team, FBI, and the bank. IT determined there was a gap in their customer service department that allowed users to reset account passwords without proper authorization. If it was not for the organization’s incident response plan with key contact information, the money may not have been recovered.

See how Eide Bailly can set your mind at ease with our incident response approach.

Lesson #3: Time is Money

On average, it takes 287 days to identify and contain a data breach and, according to IBM’s Cost of a Data Breach Report, by containing a breach in less than 200 days, you will save your organization over $1 million.

As an example, a client of ours contacted our incident response team the same day they received a spoofed email from one of their customers. We were quickly engaged to investigate their systems, which led to the swift determination that the customer’s systems were likely compromised.

This immediate determination led to a conversation with the client’s customer to help remediate the compromise. Thankfully, no money was lost, and no systems were affected due to the client’s quick actions in having us perform an immediate incident response investigation.

Here are some ways that you can stay on top of your system and quickly detect when you’ve been hacked:

  • Provide continuous security awareness training for employees inclusive of advanced phishing attacks and updates regarding recent cybersecurity attack trends 
  • Employ managed detection and response (MDR) services with advanced threat hunting capabilities 
  • Utilize Security Information and Event Management (SIEM) technology 
  • Have an incident response firm on retainer to be there when you need them the most 

By taking what we’ve learned from our experience in incident response and applying it to your own organization, you can not only mitigate the threat of an attack, but also ensure that you can respond quickly and efficiently so that your organization can mitigate damage and save time and money.

Is your business under attack?

Stay current on your favorite topics


Applicable Offerings

Take a deeper dive into this Insight’s subject matter.