But plans rarely survive first contact with the enemy. That is why it’s important to stress test your incident response plan to identify weaknesses while time is on your side.
Studies show that a swift response to a security incident retains customer trust—and saves costs. Breaches contained within 30 days of discovery cost an average of $2.7 million, according to the Ponemon Institute. If it takes more than 30 days to contain the breach, the average cost increases to $3.6 million.
But speed can’t be mandated by the plan. For this reason, plans should be stress-tested on a semi-annual or annual basis, as if you were experiencing an active data breach.
You’re more likely to encounter ransomware via a phishing email than a dedicated nation-state penetrating your firewall. As such, focus your stress test on the scenarios that are most likely and threaten the worst potential consequences.
By the time you work your way down to less-likely and less-costly threats, you’ll already have covered the common elements of your response. Knowing how to adapt your plan to a specific threat is an expertise unto itself; one that won’t emerge naturally in the planning phase.
By the time Target alerted its customers about its historic breach in December 2013, several days already had passed. The delay impacted consumer faith and the retailer’s bottom line, and was a consequence of Target’s leadership treating the breach as a purely technical issue.
Nontechnical staff, such as legal, public relations and human resources, should participate in stress-test activities, too. Try to strike a balance between internal staff, who may be more familiar with the company, and external specialists, who have expertise and can take on extra work.
The true benefit of a stress test is the analysis following the experience. The whole point is to make improvements to your plan by responding to what went wrong and reinforcing what went right.
Your breach response plan should include time for the incident response team to reflect and discuss the exercise. Additionally, ensure that any of the team’s recommendations are reviewed and implemented within a specified timeframe.
The benefits of organizing and testing your incident response plan could far outweigh the costs. Factor in the peace of mind your C-suite and response team will gain when they feel confident in their plan, and we believe you’ll arrive at a compelling argument to place stress tests near the top of your to-do list.
For more information on Commercial Breach Readiness services or a free initial Breach Risk Consultation, contact FreedomID @ (888) 820-5959.
Article contributed by Eric Hodges, Third Certainty, Inc