GUEST ESSAY: The importance of establishing a robust data breach response plan

By Eric Hodge

Many savvy organizations are investing time and thought into data breach response plans.

But plans rarely survive first contact with the enemy. That is why it’s important to stress test your incident response plan to identify weaknesses while time is on your side.


Studies show that a swift response to a security incident retains customer trust—and saves costs. Breaches contained within 30 days of discovery cost an average of £2.15m ($2.7 million), according to the Ponemon Institute. If it takes more than 30 days to contain the breach, the average cost increases to £2.89m ($3.6 million).

But speed can’t be mandated by the plan. For this reason, plans should be stress-tested on a semi-annual or annual basis, as if you were experiencing an active data breach.

Focus on most likely scenarios

You’re more likely to encounter ransomware via a phishing email than a dedicated nation-state penetrating your firewall. As such, focus your stress test on the scenarios that are most likely and threaten the worst potential consequences.

By the time you work your way down to less-likely and less-costly threats, you’ll already have covered the common elements of your response. Knowing how to adapt your plan to a specific threat is an expertise unto itself; one that won’t emerge naturally in the planning phase.

Make it more than a technical exercise

By the time Target alerted its customers about its historic breach in December 2013, several days already had passed. The delay impacted consumer faith and the retailer’s bottom line, and was a consequence of Target’s leadership treating the breach as a purely technical issue.

Nontechnical staff, such as legal, public relations and human resources, should participate in stress-test activities, too. Try to strike a balance between internal staff, who may be more familiar with the company, and external specialists, who have expertise and can take on extra work.

Apply lessons learned

The true benefit of a stress test is the analysis following the experience. The whole point is to make improvements to your plan by responding to what went wrong and reinforcing what went right.

Your breach response plan should include time for the incident response team to reflect and discuss the exercise. Additionally, ensure that any of the team’s recommendations are reviewed and implemented within a specified timeframe.

The benefits of organizing and testing your incident response plan could far outweigh the costs. Factor in the peace of mind your C-suite and response team will gain when they feel confident in their plan, and we believe you’ll arrive at a compelling argument to place stress tests near the top of your to-do list.

This article also appeared in Eric Hodge is the director of consulting at CyberScout, fomerly IDT911.

More stories related to incident response:
Companies must have an incident response plan to counter cyber reality
Why incident response planning is vital for small and midsized companies
Ransomware attacks are a fact of life, so real-time detection, response is critical

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone