3 Bottom-Line Reasons Why Every Business Should Have an Incident Response Plan

Incident Response Planning Save Businesses Money Now & Later

Are you ready to mount an incident response?  In today’s volatile cybercrime landscape, every organization needs to be able to answer “yes”.  Surging cybercrime rates including record-high phishing numbers make it clear that businesses are under siege by cybercrime, and it only takes one attack that penetrates security to start a company down the long road to an expensive incident response and recovery process.  That’s a prospect that no one wants to face.  It’s also a slippery slope that often ends with a company going under.  Falling victim to a cyberattack can put an organization out of business fast – 60% of companies shutter within 6 months of a successful cyberattack against them.  Making an incident response plan is essential for preventing that kind of grim result as well as gaining some budgetary benefits right now.

Overlooking This Security Secret Weapon is a Costly Mistake

An incident response plan is a low-cost, high-benefit security secret weapon that many companies overlook, and that’s a huge mistake when you’re looking for ways to make affordable and fast-acting security improvements.  It brings unexpected bonuses to the table that provide great value.  Incident response planning empowers businesses to maintain stronger security now, come out of an incident with more cash, and prevent another incident in the future.  However, 1 in 3 businesses have neglected incident response planning, and they’re missing out on some pretty awesome security benefits that come from taking the time to plan for what to do when the worst happens.

It also gives IT professionals a golden opportunity to address unpleasant budgetary realities that quickly become apparent when a company is facing down a cyberattack.  During an emergency isn’t a great time to figure out where you’re going to find money to pay for things like extra payroll hours or outside consultants.  Smart businesses have money built into the budget or set aside to handle a cyberattack emergency.  However, far too many businesses do not – 83% of companies do not have money in reserve for a cyberattack, and 25% of business executives still don’t understand that a cyberattack costs money at all.  Laying out the budgetary impact of an incident and demonstrating the need to be financially prepared can help win the argument for putting funds in reserve in case of trouble.

3 Smart Money Reasons Why Every Business Needs an Incident Response Plan

There are many great reasons to take advantage of the security benefits that can be gained by creating an incident response plan. Here are three big ones.

1. Reduce Incident Investigation Expenses and Incident Costs 

Just creating and drilling an incident response plan can provide a sharp reduction in the number of security incidents that a prepared business faces overall.  IBM researchers determined that 39% of organizations with a formal, tested incident response plan experienced an incident, compared to 62% of those who didn’t have a plan.  Every incident a company doesn’t have to investigate is a chunk of change that can be better spent on other security measures.  It’s also an impressive reduction in risk just from being prepared.  When a company does experience an incident, incident response planning pays big dividends.  In IBM/Ponemon Institute’s “Cost of a Data Breach Report”, researchers determined that having a tested incident response plan can save 35% of the cost of an incident.

2. Quickly Find Unnecessary Security Expenditures

No business can afford to spend money on things that it doesn’t need, especially in challenging economic times like these.  Considering possible cyberattack scenarios and the tools that the company would need to take care of them when engaging in incident response planning can uncover areas of waste and shake out much-needed funds to be diverted to other security needs.  Experts estimate that many enterprises maintain 19 different security tools, with only 22% of such tools serving as vital to primary security objectives.  Almost half of the security tools that are available to IT teams are just clutter that adds unnecessary complexity, creating extra stress on security teams.

3. Strengthen Compliance Across the Board

Most compliance requirements include a requirement to perform security assessments.  That dovetails nicely with the assessments that companies perform when making or reviewing incident response plans.  Companies with incident response plans also have a better eye on compliance and data handling practices which enables them to spot and fix vulnerabilities efficiently.  That’s good news because the penalties for non-compliance can be steep.

• For a HIPAA violation, a company could be looking at penalties ranging from $100 to $50,000 per violation (or per record).
• A GDPR penalty could set a company back up to 4% of its annual global revenue or 20 million euros ($22.8 million).
• A company in breach of PIPEDA requirements can be fined up to $100,000 for each violation.

Non-compliance or compliance failure leads to some very hefty bills:

• The average cost of a violation for organizations experiencing non-compliance problems is $9.4 million.
• The average cost of compliance for an organization, including safeguards like employee security awareness training, is $3.5 million — about one-third of the penalty for non-compliance.
• Organizations lose an average of $4 million in revenue due to a single non-compliance event.

Don’t Fail This Test

Time is of the essence when dealing with a cyberattack, and without a plan, companies can be left floundering when they need to be agile.  It can take time to even find the problem, leaving very little left on the clock for fixing the problem before it does too much damage.  The average length of time that attackers spend with a victim company’s network before an attack is discovered is called the median dwell time, and that number is rapidly shrinking.  Mandiant researchers have determined that the global median dwell time, or the number of days an attacker is in an environment before detection, has fallen to 24 days.  Compare that to 2020’s global median dwell time of 56 days and it’s easy to see how the pace of attacks is escalating.

Businesses are generally neglectful of planning for a cybersecurity disaster.  For the second year in a row, only 26% of respondents in the IBM Cyber Resilient Organizations Study reported that their organizations even have a formal cybersecurity incident response plan that is applied consistently across the entire enterprise.  They’re even worse at planning for cybersecurity incidents kicked off by specific types of cyberattacks.  Only half of the tiny fraction of companies that had an incident response plan reported that their organizations had a tailored response plan for something like a ransomware attack.  When specific scenario plans do exist, the top types of attacks for which organizations have response plans are distributed denial service or DDoS (65%), malware (57%), and phishing (51%).

The Best Way to Stop Cybersecurity Incidents is to Prevent Them Altogether

Security and compliance awareness training reduces a company’s chance of having a cybersecurity incident by up to 70% – an impressive improvement for a small investment.

Our BullPhish ID solution provides the ideal training for you and your team featuring industry-leading cybersecurity and compliance education and customizable phishing simulations that get employees up to speed quickly and affordably.

Want to learn more about security awareness training and how ET&T can help secure your company and save you money?  Fill in the form on the side of this page and we will be in touch.