Great Bay Software Blog

Incident Response: What’s Your ROI?

Written by Great Bay Software on December 15, 2017


The price of a data breach has reached an all-time high, with an average cost of $7.35 million. And this price tag directly correlates to the time it takes to detect and respond to the incident. In fact, the correlation is so strong that a fast and effective response workflow can potentially save an organization millions, if not billions of dollars in the long run. In order to better understand how to increase incidence detection and ultimately speed response, let’s take a look at some of the biggest drivers contributing to slow response times and their financial implications.


One of the drivers is simply that there are more security alerts to investigate. According to Nokia, “only 30% of [security] incidents get investigated. Of that, 70% are false positives. As a result, 54% of incidents that should get investigated don’t, and the people working on that spend 54% of their time trying to do detections.”


There’s also a pure lack of skilled security experts. Every year in the US alone, there are 40,000 jobs for information security analysts that go unfulfilled, and according to ISACA, there will be a global shortage of 2 million cybersecurity professionals by 2019. Furthermore, security teams simply have too much data to sift through and disparate security solutions make it difficult for teams to detect and evaluate real incidences. An Intel Study found that enterprise security practitioners are plagued by ‘incident alert overload’. Of 400 survey respondents, 67% experienced an increase in data breach events, and a whopping 93% reported they were unable to triage every potential threat due to what are typically ad hoc and reactive security operations.


Additionally, the influx of IoT devices in the enterprise is adding to these challenges. As more IoT systems, devices and other objects become connected, potential entry points, increasing data breaches are on the rise. And the deployment of disparate security systems such as anti-malware, IPS and firewalls make incident alerting, analysis and response workflows time-consuming and resource intensive.


There’s No Grading on the Curve

Ponemon Institute’s 2017 Cost of Data Breach Study shows that faster identification and containment means lower recovery costs. However, enterprise cybersecurity systems are behind the curve. On average, organizations take 191 days to identify and 66 days to contain a security incident. According to the study findings, data breaches cost companies an average of $225 per compromised record. Breaking this down, $146 pertains to indirect costs, such as loss of customers and $79 represents the direct costs incurred to resolve the data breach, such as legal fees and new technology investments. Take a look at the Gemalto Breach Level Index for some alarming statistics. The index provides a long list of companies and industries that have experienced the theft of tens of millions of records.


Ponemon also reports that organizations use MTTI (mean time to identify) and MTTC (mean time to contain) metrics to determine incident and containment process effectivity. The survey metrics reinforce the value of having an incident response plan in place. The study shows that when MTTI is less than 100 days, the average cost to identify a data breach was $5.99 million. When the MTTI is greater than 100 days, the average cost jumps to $8.70 million, a whopping increase of 45%! And if the time it takes to contain the breach was less than 30 days, the cost was $5.87 million, compared $8.83 million for containment within 30 days.


Preventative Measures

Like the proverbial closing the door after the cows get out, it takes a substantial data breach for most organizations to invest in risk reduction and response planning. According to Ponemon, post breach spending such as incident response plans, extensive use of encryption, BCM (business continuity management) involvement, training and data loss prevention technologies deliver the highest ROI.


They report that the top three post breach activities being implemented this year are 1) training, 2) endpoint security solutions and 3) expanded encryption. In fact, since 2010, investments in endpoint security have accrued the most significant increase, which really isn’t surprising given the huge growth of connected IoT devices—especially in the healthcare, financial services and manufacturing sectors—where traditional security methods are not always effective at enabling the detection of security incidences.


This is due to the fact that many IoT devices lack basic security protocols, making them an easy entry point for external threats. Additionally, InfoSec teams don’t always have visibility into these devices as they connect to the network, meaning they remain unmanaged and cannot adhere to the same detection and remediation policies that managed devices do. Thus, these IoT devices create blind spots and open the network to attack. The ability to discover in real time and know with 100% certainty what’s on the network becomes critical in helping to increase incidence alerts and ultimately reduce response times.


Know (and Reduce) Your Risk

To better understand the potential costs to your organization from a breach, check out the Ponemon’s risk calculator. And if your organization has not yet put an incidence response plan in place, or if you’re simply looking to optimize an existing workflow, now is a good time to do so. The NIST Computer Security Incident Guidelines offer a great starting point. While it’s not targeted specifically to IoT devices, the NIST Publication 800 is written for a technical audience and outlines “every security activity that would help the engineers make a more trustworthy system.” Then, rest easy knowing how much you’re saving your organization simply by speeding incidence response times.


To learn more about how you can gain 100% visibility into the devices on your network, remove “blind spots” and mitigate future risk, check out the on-demand webinar, What’s on your Network?