Why incident response is not limited to IT security matters

Almost half (46%) of enterprises worldwide experienced at least one data breach in 2018, with victims including such well-known names as Marriott International and British Airways. That means there is a high chance for any enterprise to fall victim to an incident. With this in mind, companies are focusing not only on preventing breaches, but also preparing the methods to limit the impact when it happens.

This may require a combination of buying additional security solutions, which help to detect an attack at an early stage, hiring new incident responders or training the existing team to react to an incident more efficiently. However, is your job really done after you identify the root cause of the breach and resolve technical issues? To answer this, let’s look at how data breaches affect an enterprise from a financial point of view.

IT damage costs are just the tip of the iceberg
The financial damage of data breaches cost organizations an average of $1.23 million in 2018. A tenth ($131k) of this sum is related to lost business, which can be caused by downtime in business operations. Nonetheless, when your IT and IT security teams bring all the processes and systems back on track, it does not guarantee that the business will prosper as it did before the incident.

A survey revealed that 83% of American consumers and about a half of British (44%), Australian (43%) and Canadian (58%) ones will stop spending with a business for several months if they know that it experienced a data breach. Moreover, some of them claim that they will never shop again with such brands. Besides, your incident will spread via word of mouth, as proven by 85% of customers saying they will tell others if their personal information is stolen as a result of a data breach. This suggests that consumers are now more concerned about the safety and privacy of their data.

Given how much data breaches affect customer loyalty, it comes as no surprise that companies typically had to spend 11% ($132k) of the average breach-related cost on additional PR activities aimed to mitigate negative perception after the attack.

How to stop a cyber incident becoming a PR disaster
The aftermath of a data breach goes beyond IT security, making the response to it a business-wide matter. This idea is widely accepted among cybersecurity professionals. In our survey of more than 300 CISOs worldwide, almost all agree (97%, and 47% agree strongly) that they have participants from all key departments including IT, legal, HR, customer support, sales, and corporate communications departments, when responding to a security incident.

Despite IT security leaders understanding the importance of cooperation across different departments when responding to an incident, companies still fail to deliver an adequate response. It often happens because companies don’t know how to specifically handle crisis communication related to the IT security incident.

The key to effective crisis management is to be prepared. That way, companies should know how to communicate the dangerous situation they are likely to face because of their business risks – be it a product recall for a manufacturing company or environmental damage caused by a mining organization. As the statistics imply, cybersecurity incidents should be also included in this. However, a single plan to address any cybersecurity issue will not work.

The possible impact on a company’s reputation depends on what kind of incident it experienced – whether it was APT, which allowed cybercriminals to spy on its activities, or ransomware, which paralyzed the business. Instead, a crisis communication plan should take into account the company’s threat model and cover the likeliest scenarios.

By Alexander Moiseev, Chief Business Officer, Kaspersky