“Incident Response Management”: Attitudes of European Enterprises

We have recently sponsored a new research study conducted by Pierre Audoin Consultants, PAC, focused on “Incident Response Management”. The results detailed are compiled from a survey conducted among large enterprises in France, Germany and the United Kingdom.

The report provides key insights into the reality of security breaches and how enterprises are dealing with the current threat landscape. 67% of companies report that they were breached last year and all admit to having been breached at some point in the past. 43% of those companies rate the incident severity high or very high. With an average direct cost of €75k per breach plus indirect costs associated with taking one to six person months to recover from a breach companies have to accept that breaches are inevitable and adapt their strategies accordingly to face this new reality. Not surprisingly over the next two years companies expect a shift in their security budgets between the traditional  protect and prevent services versus detection and response from a ratio of 4:1 to 3:2.

The shift towards a proactive security strategy
We believe this trend will only accelerate and that incident response is an important element of a more proactive security strategy being employed by enterprises.  This new threat landscape is reflected in the standardized security services within our portfolio designed to detect and mitigate security incidents, including Phishing or Malware, Brand Abuse, Pharming and the ongoing concerns associated with Customer Credential Markets. In addition we provide customised solutions and expert teams to support enterprises address advanced incidents including forensic analysis.

We continue to invest in the development of our Cybersecurity services portfolio in order to provide enterprises with actionable intelligence to help them identify the impact of attacks on their business. This includes insight into the effects on their brand and reputation across their digital estate, including the internet, web portals and social networks, the detection of online fraud and the identification of threat actors, their motivations and attack methodologies.

Security technology provides an incredible amount of data. This drives a key challenge within the security industry, the need to rationalise this data and identify a clear picture of what is occurring and what it means. Importantly, much of the relevant information lies outside of the enterprise, driven by the fact that there is no longer a defined perimeter and because most of the threats are executed via the internet. It is crucial that we are able to provide insight into the current security landscape and clearly articulate the current status for enterprises. Not surprisingly, the PAC study details how companies are challenged by the lack of in-house threat intelligence skills with 38% of security teams identifying this as their main source of concern.

Don’t just stand there, prepare!
Detecting an incident rapidly and effectively means that enterprises need to be ready. The need to prepare and react are two sides of what is usually a single problem. When we consider the need to prepare for a cyber-incident response it is clear that while incidents are out of our control, in that we cannot predict who will attack, when it will occur or what will happen, organizations crucially should expect an attack and be prepared to react appropriately. 86% of enterprises recognise this and within the research identified the need to be ready as central to their strategy. This proactively manifests itself in the form of implementing strategies that will help if and when the breach happens. This includes a CyberIncident Response Strategy or Plan that is maintained and tested.  It includes a crisis handling plan, roles and responsibilities post-discovery and communication plans etc. By having these key items in place and creating controls that allow the discovery of incidents, companies are better prepared for an organized post-incident response.

To notify or not notify, that is the question
The new European regulation with the inclusion of the mandatory breach notification is yet to be issued, however, companies are exploring what this will mean to their businesses. 87% of respondents indicated concern with regard to this change. Responding to an incident is not only a technological challenge it has a negative impact on a number of elements within any organization. The technological response mainly addresses the need to safeguard core aspects including communication, both internal and external, minimizing business operational impact and ensuring continuity. Breach notification requires technological support which produces the right type of information in a reasonable timeframe but also a communications challenge to ensure that any public announcement is effectively managed. This is reflected in the responses captured. 71% of respondents raised this as a key concern whilst 52% considered this a more important challenge than the technical issue. As the legislation initiative evolves, the need for enterprises to develop their cyber-incident response plans becomes paramount in order to be able to manage these issues. We believe this is why increasingly cyber-incident response plans are either linked or even included in the business continuity plan. Many of the softer skills required to manage an incident, will be the same regardless of the nature of the incident. As the market matures, and with a greater understanding of the cyber-risks and the associated importance of these risks increases for enterprises, the concept of Cybersecurity will be considered as another source of risk, to be managed in a consistent way.

I’m in trouble. Can you help?
The final part of the report assesses the strategy of outsourcing as a potential approach to addressing cyber-incident response. 69% of participants indicated that they have a combination of both internal and external staff dealing with security incidents. While initially this number appears surprisingly high, in retrospect, given that the severity, complexity and impact of incidents vary widely, it seems reasonable that companies adopt a human resources strategy which is flexibly designed to provide a range of capabilities in order to be ready for a different  types of incidents.  This is especially relevant when considering that companies often utilise external resources to support the management of standard security incidents which allow them to focus on more strategic security issues.

Once an organisation is aware of an incident they are immediately concerned with its containment and resolution. A breach will not solve itself, or simply disappear, hence its  damaging effects continue to grow. This explains why respondents cite quality, speed and knowledge in preference to the more traditional reasons for outsourcing, which normally include cost or budgetary flexibility. We understand this important requirement and provide key performance indicators for the time taken to close an incident as part of our on-line portal for our cyberincident response services.


Telefónica is both an ISP and an IP backbone provider and we have extensive experience in managing security inside our global and national networks as this is a core requirement for our business. We can leverage that experience as well as our cloud and network assets in order to deliver comprehensive managed security services. We believe that within Cybersecurity we can provide a comprehensive and end-to-end view of the security challenges faces enterprises from the generation of threat intelligence through to incident response where our experience and our network enable us to use network-based mitigation measures.


You can now download the study conducted by the consultancy company Pierre Audoin Consultants (PAC) and supported by Telefónica:

» Download the executive summary of the “Incident Response Management: How European Enterprises are Planning to Prepare for a Cyber Security Breach”.

» Download the full study “Incident Response Management: How European Enterprises are Planning to Prepare for a Cyber Security Breach”.