3 Ways Your Incident Response Exercises are Failing You

Shore up your incident response exercises with these tips and save $3M+ per incident

Click here to listen to this article via the BreachRx Blogcast

The average cost of a single data breach continues to climb, reaching $4.35M globally and $9.44M in the United States in 2022. For a single incident that’s costly. For the multiple incidents that most organizations experience, it can be downright devastating.

But what if one simple change could save your business upwards of $3M per incident?

Does your IR plan help protect legal privilege and cover your cyber insurance requirements?

Find out today and get your IR plan updated to include them and more!

We All Know the Value of Incident Response Exercises

Incident response exercises are nothing new. We all know the reasons why they’re so important… preparation, coordination, assignment of responsibility, and the list goes on.

Ultimately, these exercises help strengthen resilience in the face of cyberattacks and support better business continuity. As Teneo puts it, resilience is now a competitive necessity. Risks can come in any number of unexpected ways (and at any time), and the ability to respond effectively during these times of surprise can make or break the future of a company.

Taking a page from military training, tabletop exercises for incident response help promote readiness and maintain compliance during these unexpected situations. This line of thinking has been ingrained in security professionals for years.

But the traditional approach to tabletop exercises doesn’t cut it anymore.

And Those Exercises Typically Look Something Like This

In most organizations, incident response exercises focus on the security aspects of the given scenario. 

This “block and tackle” approach covers investigation, containment, eradication, remediation, and recovery for the threat at hand. The goal is to instill readiness in the team so they know what steps to take when an actual threat emerges.

After you finish, your team might gather to do a debrief to talk about what happened, capture lessons learned, and identify how you can improve going forward.

All of this matters, a lot. A regularly tested incident response team and plan saves on average $2.66M per incident

But it turns out there are more areas in which you need to prepare your team for proper incident management – and more savings to be found as a result.

Most Incident Response Exercises Skip These 3 Critical Steps

Any tabletop exercise is certainly better than nothing at all when it comes to preparing your team for incident management. However, reaching peak readiness and confirming your team can maintain compliance to ensure resilience in the face of the unexpected requires the right practice.

Unfortunately, most organizations today miss three critical steps when conducting incident response exercises. This can leave teams floundering, despite the best efforts.

With that in mind, here are the three ways your incident response exercises might be failing you:

1) You only test the security aspects of incidents

The issue: According to the Ponemon Institute, the legal aspects of a breach now account for 70% of the cost of an incident, rather than the mere 30% attributed to security. But most teams only prepare and practice for the security aspects of an incident, creating significant risk for fines, lawsuits, and customer churn.

How to correct it: It’s essential to bring a focus on legal, privacy, and communications to all tabletop exercises. This phase of the exercise should walk team members through important considerations like: 

  • What regulations will apply in any given scenario 
  • What notifications need to be issued to customers, suppliers, and partners, etc. and when those notifications need to go out 
  • How the company’s cyber insurance policy factors into the response
  • How to collaborate without losing or waiving attorney-client privilege
  • When to notify law enforcement

All of these elements are extremely nuanced, making them important for team members to understand ahead of time. Additionally, these parts of incident management involve significant back and forth to maintain compliance at every step of the way, so taking the time proactively to help everyone understand who’s responsible for what and how to best reach those people in a crisis can go a long way.

2) Your exercises don’t include executives

The issue: When the real world strikes and your team needs to go into incident response mode, everyone needs to make quick, effective decisions. That’s the whole purpose of tabletop exercises, but many teams fail to include everyone that needs to be involved in the response. For example, executives’ busy schedules often get them excused from these sessions, but that leaves them unprepared to make effective decisions.

How to correct it: Plain and simple, all executives – and everyone who will participate in incident response for that matter – need to be a part of tabletop incident management exercises. This typically includes members of security, privacy, legal, IT, and communications teams, plus any other key decision-makers for your company.

Ultimately, you can’t let busy schedules be an excuse for unpreparedness when a crisis hits. You need everyone who will play a role in the response in the room for exercises. What you can do is minimize time spent on the exercises by having participants fill out questionnaires in advance.

Beyond just including executives in these exercises (which is certainly a big step in the right direction), it can also prove beneficial to have an expert, third party lead the initiatives. As one author on Security Boulevard puts it: “a trusted cybersecurity partner will have an honest and objective view of a business and can provide the greatest challenge for information security teams,” plus they “can also give an unbiased assessment of a company’s current cybersecurity defenses, readiness, and resilience.” And according to one CISO who recently took this approach, his executive team participated and took the findings better from an external party.

3) You’re not teaching your teams how to protect legal privilege during an incident

The issue: Several recent court cases have led to changes in how privilege should be handled. For example, you can no longer just include a phrase like “Attorney-Client Privilege” or copy your lawyer on your messages. If you use a system for incident response for other business purposes, privilege is at risk. Furthermore, there are important differences in the definitions of “events,” “incidents,” and “breaches,” and legal needs to be involved to help with this classification.

How to correct it: At the highest level, it’s important to make clear to everyone involved that simply having an attorney copied or involved in a process does not offer the protection of legal privilege. Having conversations outside of a formal process does not offer that guarantee, either.

Instead, privilege is about proving that actions taken were directed by a legal team and that the activity between these teams extends beyond routine business activities. Reaching this point requires proper training so that your team knows how to maximally protect legal privilege, especially when they need to react quickly during incident management.

Reduce Costs and Recover Faster with Stronger Incident Response Exercises

The value of tabletop exercises for incident response is clear: this work can help improve readiness, ensure compliance, and the list goes on. Ultimately, they aim to maximize resilience in the face of an incident.

And when done well, they do just that by allowing teams to reduce costs and recover faster.

Unfortunately, many teams – even those with the best intentions – aren’t getting everything they need to achieve these types of results from their incident response exercises. But it’s not too late to make a change.

Is your company fully prepared? Learn more about what it takes and how partnering with BreachRx can help you reduce costs and recover faster.

Need help improving your security posture?

Use BreachRx to build tailored incident response playbooks and exercise your team today!

Recent Posts