We have just published our 2019 Scalar Security Study providing data on The Cyber Resilience of Canadian Organizations and one of the biggest takeaways we found centers around how organizations recover after a security breach. There appears to be a gap between how an organization expects to recover from an attack and the recovery plans required to meet those expectations. While optimism can certainly be a good thing when bringing up an organization’s morale following a security incident, it can also hurt efforts to return to a trusted state if there isn’t a solid incident recovery plan in place.
Optimistic expectations need to partner with regularly updated response plans
Approximately 25% of our survey respondents, made up of IT security and risk & compliance professionals, said that their organizations had a fully documented incident response plan that is regularly updated. This number is down from 32% in 2018, which may indicate that plans that were freshly updated last year are not being maintained the way they need to be.
Comparatively, 67% expected to fully recover critical processes back to a trusted state and normal operations less than 2 hours following a security breach. In smaller organizations, even more (76%) expected these quick results. Unfortunately, we’ve seen that there’s a direct correlation between the quality of updated incident response plans and the ability to get critical processes back up and running quickly. There’s clearly a gap here.
What prompts an organization to update its incident response plan
Of the organizations that have incident response plans (9.6% still have no plan), updates do seem to take place, but these updates are often related to a specific event. For smaller organizations, the majority of updates happen because of changes to industry standards or government legislation, which are certainly reasonable because of limited budgets, but considering the cost of a security breach, this is one area that really can’t afford to be neglected ($4.8-5.8 million per organization, on average). Enterprise level organizations update more, but just over half (58%) complete periodic reviews that are updated every year. Other top reasons include mergers or acquisitions, adoption of new technologies, or a security incident.
These are all excellent reasons to update an incident response plan, but even among these top reasons, less than 40% of organizations are completing these updates. We actually recommend that incident response plan updates happen when any of the following triggers occur.
Triggers for updating your incident response plan
- Adopting new technology
- Internal changes to the organization
- Mergers or acquisitions
- Reports of new threats or discovery of breaches by security researchers
- Breaches reported in the news
- A security incident at your organization
- Changes to industry standards
- Changes to government legislation
- Outcomes from tabletop exercises
- Periodic reviews (annual)
For organizations who have experienced a security breach in the last year, which is an average of 12.5 breaches per organization, you’ll know that during a breach is not the moment you want to discover that your incident response plan needs to be updated. We are seeing the costs associated with responding to, and recovering from, cybersecurity incidents going up ($3.7 million last year and $4.8 – $5.8 million this year) and most of these costs are because of slow detection and response as well as deficiencies in planning. The time organizations are taking to recover is only getting longer, which is increasing the costs.
Incident response documentation cuts downtime and saves money
60% of organizations we surveyed have processes for data breach responses in place but have either incomplete or no documentation, but even organizations that follow fundamental cyber resilience practices spend an average of 4.4 fewer staff work days (16.1 days compared to 20.5 days) recovering from breaches per year. For organizations with robust incident response plans, those days can be even fewer and the return to a trusted state could be even quicker.
There’s an opportunity to improve
It’s easy, and understandable, to look at the results from a security study and see just how vulnerable organizations are and how much money is at stake, but you can also come to a different conclusion: there are ways to improve. IT security isn’t an incurable disease; there are ways to prepare your organization for attacks and for recovery if a breach should occur. The more you know, the more you can prepare for.
We define an incident response plan as a blueprint for responding to exfiltration, infiltration, and DoS cybersecurity attacks and encompasses roles and responsibilities, assessment of incidents, how the plan relates to other organizational policies and procedures and any applicable reporting requirements. It covers people, processes, and technology. It also pays attention to notable blind spots we discovered in our survey, like data flows, government legislation, responsibilities in cloud environments, and exposure to insider threats from employees and contractors. Thorough and regularly updated documentation can decrease the time an organization needs to recover from a breach and return to a normal and trusted state.