Cybercriminals are successfully targeting organizations of all sizes across all industry sectors. Recent analyst and media reports make clear that attacks are becoming increasingly sophisticated, more frequent, and their consequences more dire. One global company that suffered a large breach spent over $100 million on investigating the incident and on other direct remediation activities. But those costs were small compared with the subsequent multibillion-dollar loss in market capitalization, which was largely attributed to investors’ loss of confidence in the company’s ability to respond.

That’s why it’s not enough to focus, as many enterprises do, on defending the digital perimeter with cybertechnologies such as intrusion detection and data-loss prevention. When determined adversaries such as hacktivists and organized criminal syndicates set their minds on finding a way inside, every organization with valuable digitized information is at risk of having its perimeter breached and its critical assets compromised.

Indeed, most organizations today would do well to expand their efforts to mitigate the consequences of inevitable breaches, which likely affect infrastructure systems and compromise key data such as personally identifiable information. An incident-response (IR) plan guides the response to such breaches. The primary objective of an IR plan is to manage a cybersecurity event or incident in a way that limits damage, increases the confidence of external stakeholders, and reduces recovery time and costs. For example, the US Department of Defense, which spends upward of $3 billion a year on cybersecurity, operates under the assumption that its unclassified networks may be penetrated and therefore concentrates on maintaining operations and minimizing damages from a breach.