28 Feb, 2024

Incident Preparedness is Cheaper than Incident Response

Category: Education | Insight | Security Incident Handling
Graphic of a scale with circles on each side of scale, the heavier side text reading incident response and the other reading incident preparedness over a back ground with money bags with crypto symbols on the bags

Getting ahead of security incidents with planning and practice is a perfect example of an ounce of prevention being worth a pound of cure. The worst security incidents – those resulting in the greatest financial and brand damage, the longest and most expensive recovery time, the most costly and distracting lawsuits and regulatory actions, the most embarrassing public relations fiascos – happen when they occur at companies that haven’t created and tested a comprehensive incident response plan.  

The Cost of Incident Preparedness 

Whether you do it yourself or bring in help, security incident preparedness takes investment. The right Core Incident Response Team members must be assembled, then given support, time and resources.  

They must be supported by cross-department incident response policies and procedures that have been created holistically, to support effective cooperation in a real-life security incident scenario.  

Your organization will need time to create or update policies and procedures, and to ensure your Security Incident Runbook supports your policies and procedures. 

And you will need to regularly run thorough and realistic drills on every aspect of security IR to ensure your team will be efficient and effective when they’re called upon to put the plan into play.  

The Cost of Incident Response 

Incident response is always – always – less expensive when the organization has properly invested in security incident preparedness. The reason is obvious: the time to decide who does what and what is where is not in the middle of learning that your primary customer data store – the one containing all the personally identifiable customer data – has been breached and criminals are downloading your secrets. 

Although any security incident will result in lost time and lost money, an incident that is handled properly can actually increase stakeholder confidence in the firm and improve your public reputation.  

Conversely, when an unprepared company is hacked or hit with another information security incident or a physical security event, the costs can be catastrophic. Being caught on the back foot means that any incident response is likely to happen more slowly and less efficiently than necessary.  

A slow response often means greater breach damage. And in addition to the costs and lost time in scrambling to respond to an incident for which you are not prepared, the increased time it takes to mount the response and take effective action certainly will mean increases in lost revenues, and the greater likelihood of irreversible damage.  

Any, or often all of these effects threaten to ripple into the kind of reputation damage and shareholder and stakeholder grievance that leads to consequences for the person or people perceived to have dropped the ball. They can be significantly damaging to the company.  

A Real-World Example 

If the hypothetical costs of a poorly managed security incident aren’t compelling, consider the $148 million Uber paid to settle claims relating to the company’s cover-up of their 2016 data breach. In 2022, Joseph Sullivan, former Chief Security Officer of Uber, was convicted by a federal jury of “obstruction of proceedings of the FTC and misprision of felony” in connection with this attempted cover-up. IBM’s Cost of a Data Breach Report 2023 found, “The global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years.”  

Although Uber’s 2016 incident might represent the higher end of the potential costs, $4.45 million isn’t insignificant money for most companies.  

Deciding to commit to incident preparation isn’t exactly fun. There are good analogies to life here, like making funeral preparations, writing a will, taking out fire or flood insurance. And the analogy holds: as with those things, those of us who do prepare just have an easier time of it than those who wait until the crisis is upon us.

In fact, we would go so far as to say that “crisis” is what you’re dealing with when you haven’t prepared for a security event. If you have prepared, it’s an incident. And you know how to respond. If you aren’t sure how to start, Evertas can help



Related Articles