The Need for Incident Response Playbooks

by | Jun 17, 2022 | cybersecurity, incident response

Print PDF

Submit your email address to access the PDF of this post.
  • This field is for validation purposes and should be left unchanged.

The most recent Cost of a Data Breach Report (Ponemon 2021) found that “Lost Business Cost” represented the largest percentage (38%, or $1.59M) of the $4.2M average cost of a data breach. One of the key contributors to the “Lost Business Cost”, along with the cost of lost customers, reputation losses and diminished goodwill, was System Downtime.  

Although system downtime costs vary depending on a number of factors (e.g. industry, size), recent examples show that they can be quite substantial. In 2019, Facebook was down for 14 hours, resulting in a total loss cost of $90M (or ~6.5M per hour down). In 2016, Delta Airlines suffered a $150M loss after being down for just 5 hours ($30M per hour). For small businesses, downtime costs can also be quite high. A recent survey conducted by Infrascale of 500 C-level executives at small businesses found that 10% said that an hour of downtime cost their business more than $50,000, with another 26% saying that that they incurred a loss of between $10,000 and $20,000 per hour of downtime.

So, what does this have to do with incident response playbooks? At Contextual Security Solutions we routinely perform Incident Response Tabletop exercises and Incident Response Plan reviews for our clients. The primary impetus for these engagements is to support adherence to compliance requirements (e.g. PCI DSS 3.2.1/4.0 Requirement 12.10.2). 

Although many organizations today do a satisfactory job documenting their Incident Response Plan, including documenting roles and responsibilities, high level containment and mitigation activities, and the inclusion legal requirements as it relates to reporting compromises, specific playbooks are still uncommon. That isn’t to say this is strictly due to neglect by any means. Considering the monumental change most security teams have had to tackle because of their business’s workforce transitioning from the office to the home, time and resources have been limited. With that said, here is a question to ponder when deciding whether it’s time to look at developing specific incident response playbooks for your organization.

How prepared are you to respond to a Ransomware attack?

Ransomware is an easy one to single out because it’s been in the news a lot over the years, and ransomware attacks have been indiscriminate for the most part on which industries it’s been used to target. Playbooks take time and resources to develop, and they need to be updated as the attack vectors change and evolve, but when considering the hour of downtime costs referenced above, there’s no better time than now to start developing your playbooks. 

Sample Playbook Resources

CISA Ransomeware Playbook (See Part 2: Ransomware Response Checklist)  

Incident Response Consortium DDOS Playbook

FlexibleIR Malware Outbreak Playbook

If you are unsure about how prepared your organization is to respond to an incident, have a compliance requirement to test your plan at least annually, or simply need help developing your organizations incident response plan and playbooks, contact us today for a brief 15-minute call with a member of our team. 

Solid Security Begins with Knowing. Excels by Doing