Preparing for the inevitable

Preparing for the inevitable

In this section:

62% of organizations acknowledged they were breached in 2015 alone.4

Only 16% of passive companies have a strong incident response plan in place.5

Bottom line: The inevitability of a cyberbreach, and its potential impact on your business, requires an up-to-date, effective incident response program.

Breaches often occur under the most mundane of circumstances. A trusted employee stops by a restaurant after work and while he dines, his work laptop is stolen from his car. Now imagine the possible result: the organization is brought to a complete stop after the thieves access the laptop, steal passwords, and access the business's IT systems.

In this scenario, the first hint of an issue isn’t until the company’s servers go down, with employees unable to access any files or emails. The short-staffed IT team is slow to react, and by the time external forensic specialists are called in to help minimize the damage, it’s already too late. Critical data is lost, records have been stolen, and the business was unable to function. The cost of one vulnerable laptop to the organization quickly escalates to hundreds of thousands of dollars as the organization moves to repair systems and plug security vulnerabilities.

This story is increasingly possible as hackers up their game and organizations struggle to keep up. For example, in the public sector, nearly three-quarters of state legislators and staff believe their state's level of cyberrisk is moderate to high, according to an AT&T/National Cybersecurity Alliance study. Despite the risk, 80% of respondents don't know if their state has an emergency plan in place to respond to a breach.6

The lesson from this hypothetical company's painful story is not just that a breach took place. No, the lesson here is that they were completely unprepared to quickly address the breach — because they lacked a clear plan to respond.

The importance of incident response

The ongoing digitization of business operations and data is helping companies to become more flexible, responsive, and innovative. But digital transformation is also increasing the vulnerability of sensitive data and systems to cyberattacks.

AT&T logged over 245,000 DDoS alerts over recent 12 months

The threats are numerous and diverse. Many, such as DDoS attacks, have been around for years but have begun to scale as the methods and tools become available to the masses. Over one recent 12-month period, for example, AT&T logged more than 245,000 DDoS-related alerts across its global data network.

Other threats, such as emerging strains of ransomware, are more recent – and potentially more damaging (see "What happens if your data is held hostage?").

Know the term:


A type of malware that restricts access to data and demands that a payment be made to the attacker to restore access.

More business and IT leaders are accepting the grim reality that one of these attacks will be successful. Sixty-two percent of cybersecurity professionals believe their organization is likely to suffer a successful attack in the year ahead – a sharp rise from just two years ago, when 38% said they were likely to be breached.7

Given the “when, not if” mindset that now permeates the cybersecurity market, executive teams need to be proactive in their approach to mitigating successful cyberattacks. That's where a sophisticated incident response program comes into play.

How ready are you? Four types of organizations

The AT&T/IDC Global Cybersecurity Readiness survey identifies four levels of security preparedness:

Progressive. This is the highest level of security readiness, in which C-level executives pay close attention to security and invest in a holistic, comprehensive prevention and response strategy.

Proactive. Companies with above-average levels of security readiness realize the importance of IT security and have put in place basic steps to avoid breaches.

Reactive. At companies with below-average levels of security readiness, C-level executives pay moderate-to-little attention to security while delegating security expertise and day-to-day management to IT.

Passive. The least-prepared organizations are run by executives who take a hands-off stance. They tend to be unaware of most breaches and reactive in response to breaches they do detect.

Progressive companies are better prepared for a breach

% of companies that have a strong incident response plan that includes regular tabletop exercises and breach diagnosis

Progressive companies are better prepared for a breach
Collaboration is key

Incident response plan: Core components

  1. Define all breach scenarios and their specific response steps
  2. Outline preventative measures
  3. Define stakeholders, roles, and responsibilities
  4. Create internal and external communications templates
  5. Specify response priorities
  6. Maintain business continuity

By clearly spelling out the participants, processes, and lines of reporting following a serious cyberbreach, an incident response plan goes a long way toward mitigating the impact of a breach. The Global Cybersecurity Readiness survey finds that 74% of the best-prepared organizations have a sophisticated and comprehensive program in place that assesses their breach response capabilities and includes a clear plan for diagnosis, response, forensics, and remediation.

Unfortunately, simply developing an incident response program does not mean that your organization will respond swiftly and effectively to a breach. While 81% of companies have an incident response plan in place, just 34% consider those plans to be effective.8

Too often, the costs and complexities associated with incident response planning and preparation may cause some companies to shortchange these activities. Among organizations that don't have an incident response plan in place, 40% cite a lack of resources or budget as the reason.9 In other instances, companies that are focused on speeding time to market and driving innovation may — by design or default — simply avoid tackling tough incident response demands.

"A thorough and well-understood incident response plan helps minimize the duration and impact of security events," says Michael Klepper, national practice director for Security Consulting Services at AT&T. "Like many things in life, you get out of it what you put into it."

In our hypothetical scenario, had the organization been better prepared, it would have had proper controls in place to prevent the theft of a stolen laptop from opening the door to significant system damage. It also would have had an incident response plan in place to see to it that a breach can be quickly contained. Regular tabletop exercises could have given agency employees practical experience in reacting more quickly to an insider breach. All of these steps could have prevented the loss of data — and the workplace disruptions that followed.

Know the term:

Tabletop exercise

A meeting to discuss a simulated emergency situation.

A cyberbreach is no time to find out you’re unprepared. As our hypothetical company learned too late, an up-front investment in incident response quickly pays for itself when a breach does occur.

What does a progressive company look like?

The progressive organization represents the highest level of cybersecurity maturity in the AT&T/IDC Global Cybersecurity Readiness survey. These organizations share several key qualities that help them rise to the top.

Pragmatic: C-level executives at progressive companies understand they are targets of breaches. That mindset enables them to take a more pragmatic approach to incident planning and response. For example, many progressive companies use technologies to sharply reduce the value of compromised data to hackers.

Comprehensive: Progressive companies are more likely to focus as much on readiness assessments and diagnosis planning as they do on post-breach diagnosis and response (74% for progressive organizations versus 16% of passive companies).

Diligent: Progressive companies perform near-constant security reviews and use third-party service providers to supplement the bandwidth of their internal security teams. Sixty percent of progressive companies say their senior executives require daily security status updates, versus 14% of passive organizations.

Successful: The companies with the highest levels of IT security readiness also exhibit better business outcomes. Progressive companies averaged 24% sales growth over the past three years compared to 6% for passive organizations; their profit margin grew by 20% compared to 3% for passive companies; and their customer satisfaction increased 22% compared to 2% for passive companies.

In other words, being security-ready is good for business.

Progressive companies have seen greater 3-year growth in revenue ... ... profits ... ... and consumer satisfaction