How an Incident Response Plan Helps Reduce the Cost of a Security Breach


Data breaches are enormously expensive. According to data from the Ponemon Institute’s 2017 Cost of Data Breach Study, organizations paid $3.62 million on average to recover from security incidents in which sensitive data was compromised. That represents a 10 percent decline from the 2016 results — the first overall decrease in the history of the global study. Nevertheless, organizations that fall victim to cyberattacks face a significant financial impact.

For the third year in a row, the Ponemon study found that having a formal incident response plan in place significantly reduced the cost of a data breach. An incident response plan greatly increases the speed at which a breach can be identified and contained, which has a direct impact on the financial consequences. On average, the cost of a data breach was nearly $1 million lower for organizations that were able to contain a data breach in fewer than 30 days compared to those that took more than 30 days.

The SANS Institute has published a guide to help organizations develop an incident response plan. The first step — preparation — is the most important. It is broken down into several components:

  • Developing policies defining a security incident and informing users of what constitutes unauthorized behavior and penalties for such behavior.
  • Creation of a strategy and plan for handling security incidents.
  • Identification of individuals within and outside the organization who should be contacted when an incident occurs.
  • Procedures for documenting an incident to provide evidence for law enforcement and enable later evaluation for process improvement.
  • Formation of an incident response team which will likely include representatives from executive management, legal, human resources, public relations, and customer service, as well as IT.
  • Coordination of the tools and access permissions the incident response team will need to rapidly execute the strategy and plan.
  • Training for the incident response team, along with periodic drills to ensure that everyone knows how to perform their duties.

The second step in an incident response plan involves identification of an event as a security incident. This requires gathering data from log files, security systems, and other sources and correlating that data to weed out false positives and negatives. Documentation should begin immediately upon detection of an incident.

Once a potential incident has been identified, the response team will likely need to conduct an investigation to understand what type of event they are confronting. The initial investigation should be conducted as rapidly as possible and involve digital forensic experts at an early stage. Forensic experts can analyze systems in a way that preserves evidence.

Only then can the IT team begin work on the next three steps: containment of the breach to minimize damage, eradication of the malicious content, and recovery of affected systems, applications, and data. As a final step, the response team should complete the documentation and assess the incident for lessons learned.


For more information about incident response, please send us an email at (

Leave a Comment