How To Improve Incident Response Time for Data Breaches

Incident response time is a very important part of surviving a data breach.

survive data breaches by improving incident response time
Shutterstock Photo License - LeoWolfert

It is no secret that cyberattacks are escalating in frequency and severity each year. They have led to a growing number of data breaches, which are creating major concerns for people all over the world. IBM reports that the average data breach cost over $4.2 million in 2021, which is a figure that grows every year.

Malicious actors are becoming increasingly crafty at intercepting communication and penetrating organizations to steal valuable data. The fact of the matter is that no one will ever be completely safe from these types of attacks, and when they do happen, response time is the most valuable vector organizations have under their control.

Take the Marriott data breach in 2014, for example. Before Marriot acquired the Starwood hotel group, Starwood suffered a major data breach of its customer database. Because no internal threat detection mechanisms existed, the malicious actors had access to massive volumes containing personal customer information. This breach was not discovered until 2018. Granting the malicious actors open access to more and more data as the Marriott hotel group was doing business.

Had this data breach been detected earlier, countermeasures could have been put into place and protected many of their clients.


How can organizations protect themselves from this kind of data breach?

Luckily modern solutions exist that arms organizations with the necessary tools to avoid these kinds of data breaches. An extremely good principle and starting point would be to honestly quantify the cybersecurity risk in your organization.

For organizations who need expert advice in this area, there are automated software solutions from specialized third-party vendors that offer this kind of quantification. They are crucial for data protection.

Being aware of the possible shortcomings in organizational security not only highlights problems that need to be addressed in the short term but also allows the organization to develop sound data security policies for consistent fortification.

Policies will go a long way to grow a culture of security awareness among employees, giving guidance on best data protection practices and opening channels of honest communication in the case of the inadvertent introduction of vulnerabilities.


To help administrators secure hosts consistently and efficiently, organizations should consider combining data security automation solutions with OS and application setup checklists. Checklists can be used by security automation technologies to apply configuration settings that improve the default level of security and to monitor the hosts’ settings to ensure that they are still in compliance with the checklist settings. Hardening principles when it comes to security setups should also be considered.

Since response time plays such an important role during a data breach, what actions are needed to reduce the overall incident response time?

The speed of incident response during a data breach can be affected by four distinct parameters:

  • Preparation
  • Detection and Analysis
  • Threat containment and Recovery
  • Incident post-mortem

Organizations are encouraged as part of their preparation process to continually improve their internal knowledge about malware found in the wild and prevent data theft. Keeping up with the ever-changing landscape of malware threats and technologies is essential. Preparation would also include having dedicated channels of communication between users and IT or SOC where possible. Users should also receive regular training in best practices and security policy to avoid possible attacks stemming from social engineering.


To reduce the number of infected hosts and the amount of harm sustained by the company, organizations should aim to detect and confirm malware outbreaks as quickly as possible. Because malware can take many forms and be disseminated in a variety of ways, there are numerous possible symptoms of a malware occurrence, as well as numerous locations within an organization where they can be recorded or observed.

Organizations should have strategies and procedures in place for making risk-related choices that represent the organization’s risk tolerance for data theft. For example, if the likely damage to the organization from those functions being unavailable is greater than the security risks posed by not isolating or shutting down infected hosts performing critical functions, an organization may decide that they should not be disconnected from networks or shut down.

Incident handling should always be followed up by a thorough post-mortem investigation. The purpose of this investigation is never to place blame on a person for the breach but rather to measure the effectiveness of existing security practices. Policies should be amended accordingly after the post-mortem investigation to improve both security and incident response time in the future.


Don’t Underestimate the Importance of Incident Response Time During a Data Breach

Data breaches are not going away anytime soon. However, your company can survive a breach more easily by understanding the importance of incident response time. Incident response time can mean the difference between a data breach resulting in minor side effects and a breach becoming a major setback to an organization.


Ryan Kh is an experienced blogger, digital content & social marketer. Founder of Catalyst For Business and contributor to search giants like Yahoo Finance, MSN. He is passionate about covering topics like big data, business intelligence, startups & entrepreneurship. Email: