Are you ready to mount an incident response? In today’s volatile cybercrime landscape, every organization needs to be able to answer “yes”. Surging cybercrime rates including record-high phishing numbers make it clear that businesses are under siege by cybercrime. It only takes one attack that penetrates security to start a company down the long road to an expensive incident response and recovery process. That’s a prospect that no one wants to face. It’s also a slippery slope that often ends with a company going under. Falling victim to a cyberattack can put an organization out of business fast – 60% of companies shutter within 6 months of a successful cyberattack against them. Making an incident response plan is essential to prevent that kind of grim result and gain some budgetary benefits.

An incident response plan is a low-cost, high-benefit security secret weapon that many companies overlook, and that’s a huge mistake when you’re looking for ways to make affordable and fast-acting security improvements. It brings unexpected bonuses to the table that provide great value. Incident response planning empowers businesses to maintain stronger security now, come out of an incident with more cash, and prevent another incident in the future. However, 1 in 3 businesses have neglected incident response planning, and they’re missing out on some pretty awesome security benefits that come from taking the time to plan for what to do when the worst happens.

It also gives IT professionals a golden opportunity to address unpleasant budgetary realities that quickly become apparent when a company is facing a cyberattack. An emergency isn’t a great time to figure out where you’re going to find money to pay for things like extra payroll hours or outside consultants. Smart businesses have money built into the budget or set aside to handle a cyberattack emergency. However, far too many businesses do not – 83% of companies do not have money in reserve for a cyberattack, and 25% of business executives still don’t understand that a cyberattack costs money at all. Laying out the budgetary impact of an incident and demonstrating the need to be financially prepared can help win the argument for putting funds in reserve in case of trouble.

There are many great reasons to take advantage of the security benefits that can be gained by creating an incident response plan. Here are three big ones.

1. Reduce Incident Investigation Expenses and Incident Costs
Just creating and drilling an incident response plan can provide a sharp reduction in the number of security incidents that a prepared business faces overall. IBM researchers determined that 39% of organizations with a formal, tested incident response plan experienced an incident, compared to 62% of those who didn’t have a plan. Every incident a company doesn’t have to investigate is a chunk of change that can be better spent on other security measures. It’s also an impressive reduction in risk just from being prepared. When a company does experience an incident, incident response planning pays big dividends. In IBM/Ponemon Institute’s “Cost of a Data Breach Report”, researchers determined that having a tested incident response plan can save 35% of the cost of an incident.

2. Quickly Find Unnecessary Security Expenditures
No business can afford to spend money on things that it doesn’t need, especially in challenging economic times like these. Considering possible cyberattack scenarios and the tools that the company would need to take care of them when engaging in incident response planning can uncover areas of waste and shake out much-needed funds to be diverted to other security needs. Experts estimate that many enterprises maintain 19 different security tools, with only 22% of such tools serving as vital to primary security objectives. Almost half of the security tools that are available to IT teams are just clutter that adds unnecessary complexity, creating extra stress on security teams.

3. Strengthen Compliance Across the Board

Most compliance requirements include a requirement to perform security assessments. That dovetails nicely with the assessments that companies perform when making or reviewing incident response plans. Companies with incident response plans also have a better eye on compliance and data handling practices which enables them to spot and fix vulnerabilities efficiently. That’s good news because the penalties for non-compliance can be steep.

• For a HIPAA violation, a company could be looking at penalties ranging from $100 to $50,000 per violation (or per record).
• A GDPR penalty could set a company back up to 4% of its annual global revenue or 20 million euros ($22.8 million).
• A company in breach of PIPEDA requirements can be fined up to $100,000 for each violation.

Non-compliance or compliance failure leads to some very hefty bills:

• The average cost of a violation for organizations experiencing non-compliance problems is $9.4 million.
• The average cost of compliance for an organization, including safeguards like employee security awareness training, is $3.5 million — about one-third of the penalty for non-compliance.
• Organizations lose an average of $4 million in revenue due to a single non-compliance event.

Source: ID Agent