Incident Response Statistics: How Do You Compare?

FRSecure
7 min readAug 26, 2022

--

Have you ever wondered how your incident response preparations stack up to other organizations? The FRSecure team has been gathering data from our Cybersecurity Incident Response Team (CSIRT) engagements for more than 18 months, and we’ve taken the time to boil this data down into some key statistics about the overall state of incident preparedness and security industry trends. The data we’ve collected and analyzed is broken down into three key categories: incident preparedness, data backups, and log retention.

Incident Preparedness

According to IBM, companies take 197 days to identify a breach and 69 days to contain one on average.

This delay between infection, detection, and containment can cost businesses millions of dollars. Companies that can contain a breach in less than 30 days, on the other hand, save more than $1M compared to those who are closer to the average response time.

It’s a well-known statistic in our industry, and one we’ve discussed before, but it helps illustrate the importance of having and implementing basic security measures as soon as possible. Things like an established incident response plan, multi-factor authentication, log monitoring and retention, and good data backup habits are crucial for achieving a faster detection and recovery time than the industry average.

So, as we’ve established, the ability to detect an intruder and respond to an incident is critical to information security, but how does your security program stack up? To identify trends in the security practices of different companies, we’ve anonymized, compiled, and analyzed the data from hundreds of engagements and have identified some patterns.

Incident Response Plans, MSPs, and Cyber Insurance

A crucial part of being able to efficiently respond to a cyber incident is having an effective Incident Response Plan in place. Through extensive casework, we have identified one commonality for organizations that have a tested Incident Response plan in place — they are able to recover quicker and, in many cases, minimize the damage done more effectively than companies without a plan of any kind.

  • 45% of companies have an incident response plan in place.
  • 79% of companies have cyber insurance policies.
  • 88% of companies with incident response plans also have cyber insurance.
  • 37% of companies have a managed service provider.

One trend we noticed in our data, was that companies who have an incident response plan in place almost always have cyber insurance policies as well. This suggests that those who have adopted a response plan are not relying on a single failsafe if something were to go wrong, which we’re excited to see.

Another thing to keep in mind is the specific insurance policy your organization invests in. Not all insurance policies are created equal, so we encourage you to take a look at our blog on how to navigate the world of cyber insurance for more information on the subject.

What we’re not quite as excited about, is that only 45% of the companies polled had an incident response plan in place. The fact that 79% of companies have insurance — while less than half have incident response plans — is alarming. This leads us to believe that companies are assuming their insurer will act as their incident response plan in a security event. This is NOT the case.

Regardless of insurance coverage, every organization should have an incident response plan in place and test that plan on a regular basis.

Company Size

As far as how these numbers differ between different sizes of companies, we found that practices stay relatively similar. Although the numbers reveal a critical lack of incident preparedness across the board, we found that smaller businesses are scoring very similarly to their larger counterparts. This means that there is not necessarily a correlation between company size and incident readiness.

Companies with 100 employees or less

  • 40% of companies with 100 employees or less have an IR plan in place.
  • 75% of companies with 100 employees or less have a cyber insurance policy.

Companies with 100–500 employees

  • 54% of companies with 100–500 employees have an IR plan in place.
  • 85% of companies with 100–500 employees have a cyber insurance policy.

Companies with greater than 500 employees

  • 38% of companies with 500+ employees have an IR plan in place.
  • 76% of companies with 500+ employees have a cyber insurance policy.

Data Backups and System Inventory

We were excited to see that only 4% of companies polled were not backing up their data. That means the majority — 96% of respondents — were actively backing up their information. Although, how often backups were made and how they’re stored do vary a bit from one organization to the next.

The most common data backup cadence observed in our data was daily at 43%, with weekly backups coming in second. This is encouraging as it indicates companies recognize the need for their backups to be as recent as possible.

The recommended cadence and retention will vary for each business, but that decision should be made by answering one question. How much data can we lose without impacting business operations?

Another positive statistic to report is that 70% of companies report maintaining an up-to-date system inventory. This is a critical piece of information when responding to an incident. As the old saying goes, you can’t secure what you don’t know you have. While there is room for improvement with 30% failing to maintain an inventory adequately, we are happy to see the majority of respondents have this in place.

Room for Improvement

One improvement we would like to see industry-wide is where and how these data backups are being stored.

Just 22% of companies have an air-gapped backup solution. A proper air-gapped backup solution prevents network access to your stored data. Offline tape, disk, or other media will suffice here.

Air-gapped backups are crucial because they can help ensure you retain access to your data, and your ability to restore it in the event of a critical incident.

In many ransomware cases that FRSecure has worked on, network-connected backups are destroyed before the ransom payload is deployed. This both significantly increases the time to recovery and reduces the chance of a full recovery. Clients are often forced to enter a ransom negotiation or accept significant data loss in situations involving network-connected backups.

Log Retention Statistics

We’ve discussed business data backups, but what about log retention? Log retention and monitoring are critical components of incident identification and response. Not to mention the benefit these logs can have for administrators troubleshooting system, network, application, and domain problems.

Unfortunately, our findings are not very positive. The majority of organizations are not properly logging and retaining information. 65% of respondents are not storing logs or are storing them for less than 30 days.

Consider the statistic in the opening of this article — the average time to detect a breach is 197 days. If you are storing logs for the short term only, by the time you discover the possible incident there is a significant chance the log data you need to respond properly no longer exists. This can be crippling in incident response.

Storage space is a cheap investment to ensure you are adequately retaining logs long-term and have the ability to properly investigate and respond to any incident.

Key Takeaways

Only 45% of companies have an Incident Response plan in place.

Let’s change that statistic! Develop an incident response plan for your organization, but know that having a plan is not enough! A dusty plan on someone’s shelf is of no benefit to your organization. That plan should be tested in regular cadence to ensure it works for your organization — and that all involved parties are aware of their responsibilities!

Only 22% of companies have an air-gapped backup solution.

This is simply not acceptable. We know the tactics, techniques, and procedures deployed by our adversarial ransomware actors all too well by now. They destroy backups as part of the kill chain which cripples your ability to recover without negotiation.

Get your backups offline, stop negotiating with threat actors, and protect your business and your client’s data!

65% of organizations do not log at all or they store logs for less than 30 days.

This has to change! Our industry average time to detect is too long to believe that this cadence of log storage is sufficient. Having critical log data available can be the difference between the true eradication of an adversary in your environment and a half-baked attempt that results in continued security incidents.

Storage is cheap and we recommend investing in enough to have a significant stash of log data.

Closing Thoughts

The ability to quickly identify and respond to a potential incident is one of the most important pieces of any information security program. Proactively preparing for security incidents is the best way to minimize the damage if your organization experiences one.

Seeing how your current security program compares to other programs out there is a great way to understand what parts of your infrastructure might need some attention.

Please feel free to share any of the statistics we covered in this breakdown. We’ve gathered all of our findings below for you to glance through once more in case you’d like a review.

If you need assistance with any of the above, or your security program in general, please don’t hesitate to drop us a line. We are always happy to help in any way that we can.

--

--

FRSecure
FRSecure

Written by FRSecure

FRSecure is a full-service information security consultancy based in Minneapolis, MN. We’re on a mission to fix a broken security industry.

No responses yet