Verizon recently released its 2019 Incident Preparedness and Response Report (VIPR) – “Taming the Data Breach” – based on data collected from companies across industry verticals between 2016 and 2018. The company analyzed the Incident Response or IR Plans of organizations from the finance and insurance (33%), retail trade (17%), manufacturing (15%), utilities (5%), wholesale trade (5 %), educational services (5%) and a few other industries. It also came up with actionable recommendations based on five data breach simulation scenarios.

What the IR Plan is

The IR Plan is centered around the six main stages of incident response – (1) Planning and preparation, (2) Detection and validation, (3) Containment and eradication, (4) Collection and analysis, (5) Remediation and recovery, and (6) Assessment and adjustment. It identifies and defines the roles and responsibilities of internal IR stakeholders; and describes incident detection, attack types, and severity levels to help IR stakeholders and tactical responders manage security threats and incidents.

Key findings

The company’s findings are divided into six main sections that correspond to the six stages of incident response.

Planning and Preparation

Plan construction
  • Seventy-nine percent of the organizations assessed had an IR plan in place. 
  • Forty-eight percent had a “logically constructed, efficient” IR plan.
Plan relevance
  • Only 40 percent of the plans had clearly defined provisions for periodic reviewing, testing, and updating of IR Plans.
  • Twenty-two percent did not cite any internal security policies or procedures, and 38 percent did not cite legal or regulatory requirements.
Internal stakeholders
  • Fifty-seven percent of the plans designated internal IR stakeholders, and 52 percent fully described internal IR stakeholder roles and responsibilities. 
  • Fifty-nine percent did not require internal IR stakeholders to periodically conduct meetings to discuss the threat landscape.
Tactical responders
  • Fifty-three percent clearly designated tactical responders.
  • Forty-seven percent clearly defined tactical responders’ roles and responsibilities.

Detection and Validation

Incidents and events
  • Fifty-five percent of the assessed plans fully defined cybersecurity incidents.
  • Forty-one percent clearly defined cybersecurity events. 
  • Sixty-two percent clearly classified cybersecurity incidents.
  • Sixty-seven percent clearly defined different severity levels for cybersecurity incidents.
Detection sources
  • Forty percent plans fully described non-technical incident detection sources. 
  • Thirty-one percent fully described technical incident detection sources.
Tracking and reporting
  • Forty-two percent plans clearly and fully defined incident and event tracking mechanisms.
  • Sixty-six percent clearly defined incident reporting procedures.
Escalating and communicating
  • Forty percent included detailed IR stakeholder escalation criteria.
  • Forty-five percent included IR stakeholder notification procedures.

Containment and Eradication

  • Fifty-two percent of the assessed plans clearly described containment measures.
  • Fifty percent included fully defined eradication measures.

Collection and Analysis

Collecting and analyzing
  • Only 16 percent of the assessed plans includes clearly defined procedures for data collection and analysis. 
  • Even fewer – 9 percent – fully defined tools for data collection and analysis.
Evidence handling
  • Twenty-six percent plans clearly mentioned procedures for evidence handling.
  • Twenty-one percent fully described evidence submission and chain of custody forms use.

Remediation and Recovery

  • Only 41 percent of the plans included clearly laid out measures for remediation.
  • Forty-five percent included clearly defined recovery measures. 

Assessment and Adjustment

Lessons learned
  • Seventy-six percent plans required (and 14 percent partially required) lessons-learned activities following security incidents
  • Sixty percent fully required (and 14 percent partially required) IR Plan updating following security incidents
Measuring success
  • Twenty-four percent of the assessed plans required the retention of data and reporting. 
  • Twenty-four percent required the tracking of incident and response metrics.


The top five Incident Response Plan recommendations were clearly defining tactical responders’ qualifications (85 percent), making provisions for data analysis (83 percent) and data collection guidance (76 percent), citing external security-related governance and standards (78 percent) and writing and publishing database incident reports and lessons learned results (78 percent). 

The top five breach simulation recommendations were maintaining a regularly updated, well-rounded IR plan (30 percent), producing IR playbooks for individual incident types (30 percent), putting in place internal escalation protocols (30 percent), clearly defining IR stakeholder roles and responsibilities (27 percent), and establishing alternative communication channels and solutions (26 percent).

Read the complete report at Verizon’s website: