What’s at stake: Why incident response matters

Some organizations are willing to take a gamble and choose not to invest in programs that don’t directly contribute to their bottom lines. But a penny-wise, pound-foolish approach to incident response easily winds up costing a company dearly after their luck runs out.

The reality of the contemporary cybersecurity landscape is that there are no safe places left to hide from cyberattackers. The threats are as many as they are diverse, and their sheer volume creates the high likelihood that attackers will penetrate a company’s defenses at some point. Consider, for example, that during a recent 12-month period AT&T logged more than 245,000 DDoS-related alerts across its global data network.

Given the extent of the threat constellation, incident response ought to be a top priority at every organization. The puzzle is that it often receives short shrift - and with predictable results.

Paying the price

Half the organizations surveyed by the SANS Institute said they need two days or longer to detect cyberbreaches, while 7% were not even able to detect the length of an attacker’s dwell time.

That’s a troubling finding when you consider that the longer that attackers can freely roam around a network, the more data they can steal while inflicting more damage. Some victim companies have racked up multimillion-dollar losses after suffering severe breaches.

Against that backdrop, why is incident response overlooked? Chalk it up to human nature, but sometimes it takes a crisis to get people to focus. Once management gets confronted with the magnitude of the - direct and indirect - costs incurred by not having an incident response plan, the topic gets pushed to the top of the corporate agenda.

Until then, the organization is left to scramble, a dollar short and a day late.

Beyond the obvious damage involved in losing valuable data, breaches exact costs in the coin of public reputation in the event that user or customer information is revealed. At the same time, organizations leave themselves open to post-breach litigation that can extend to directors and officers for failing to adequately protect sensitive data.

As the AT&T report Cybersecurity Insights notes, a mishandled breach can also result in embarrassment and even forced resignations. For instance, when cyberattackers hit a large department store chain in 2013, the CEO originally said the breach affected 40 million customers. The company subsequently revised its initial estimate several times before settling on a final tally of 70 million. The inaccurate claims fed a storyline of mismanagement — and ultimately contributed to the CEO’s resignation.

Companies that already have a well-crafted incident response plan can avoid the storm and stress by rapidly containing a breach as well as starting the task of collecting forensic evidence. Once a professional incident response team learns about the breach, they know the playbook and can deploy the tools, techniques, and organizational plans needed to tackle the problem and limit the extent of the damage.

The organization thus saves both time and money that would otherwise need to be spent on emergency recovery efforts.

“A thorough and well-understood incident response plan helps minimize the duration and impact of security events,” says Michael Klepper, the National Practice Director of AT&T Consulting’s Vulnerability Threat Team. “Like many things in life, you get out of it what you put into it.”

Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.

Insider: These ransomware situations can result in colossal outcomes
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies