Four Years. One Message: Test Your IR Plan or Pay the Price
- Avi Lipa
- 2 days ago
- 2 min read

4 years in a row of IBM cost of data breach research documents:
We threw them into Notebook LM (by Google AI) and asked it to come up with major ky factor that will help reduce cost of data breach….
You can validate it by browsing inside each yearly report at looking at the graph listing factors which impact cost of a data breach.
Ah, and yes we can help .. :-)
"Across the four years of research, Incident Response capabilities, particularly having a dedicated team and regularly testing the IR plan, have consistently proven to be a critical factor in reducing both the financial cost and the duration of data breaches. Beyond cost savings, IR capabilities significantly reduce the time it takes to identify and contain a breach
The data breach lifecycle is defined as the elapsed time between the first detection and containment
The 2021 report showed that for organisations with fully deployed security AI/automation (which often supports IR), the total breach lifecycle was 247 days (184 days to identify, 63 days to contain), compared to 324 days (239 days to identify, 85 days to contain) for organisations with no security AI/automation10. While this specifically highlights AI/automation, it demonstrates the link between faster response (enabled by capabilities like IR) and shorter lifecycles.
The 2022 report noted a dual strategy of forming an IR team and testing the IR plan was found to significantly reduce the average time to identify and contain
In the 2023 report, the combined strategy of forming an IR team and testing the plan resulted in a lifecycle of 252 days (194 to identify, 58 to contain), which was 54 days shorter than the 306 days (216 to identify, 90 to contain) for organisations employing neither approach14.... Testing the IR plan alone was also effective, resulting in a difference of 48 days14. The report explicitly states that IR planning and testing helped organisations resolve incidents 54 days faster.
The 2024 the report highlights IR planning and testing as a top investment area, implying its continued importance for timely response.
The reports emphasise the importance of both having an IR team and regularly testing the IR plan.
Regularly testing the plan was sometimes noted as particularly effective.
Having an IR vendor on retainer can also help speed up the time to respond to a breach.
Recommendations often include establishing a detailed cyber incident playbook and routinely testing it through exercises or simulated environments"
Comments