Only Half of Companies Have a Computer Security Incident Response Team

Defenses can be put in place to prevent cybersecurity incidents, but sooner or later a cyberattack will be suffered. It is therefore essential that healthcare organizations have the infrastructure and policies in place to respond quickly to an attack. A dedicated computer security incident response team can be invaluable in this regard.

Under HIPAA Rules, all covered entities must develop a data breach response plan which can be put in place as soon as a data breach is discovered. The breach response plan must be executed immediately, yet many healthcare organizations do not have a dedicated computer security incident response team. A response team consists of a number of IT security experts whose main role is to respond to security incidents and data breaches as soon as they occur.

New Survey Indicates Half of Companies Lack A Dedicated Computer Security Incident Response Team


A recent survey commissioned by (x)matters looked at the security response capabilities of U.S. companies. The survey was completed by 400 IT professionals, 13% of whom were employed in the healthcare industry. Over 90% of respondents said they suffer major security incidents several times a year, while 60% said they suffered major incidents on a monthly basis.  Even though security incidents were regularly suffered, only 52% of companies had an incident response team, and only 44% had dedicated personnel assigned to their computer security incident response teams.

Large organizations employing more than 5,000 employees were most likely to have a major incident response team in place. 67% of large companies had a major incident response team to deal with security breaches compared to 52% of companies employing between 1,000 and 5,000 employees, and 41% of companies employing between 500 and 1,000 members of staff. 80% of organizations’ incident response teams included fewer than 10 individuals.

Organizations that had not set up a team to deal with security incidents gave the responsibility to their IT departments in the majority of cases. 56% of respondents required IT operations to deal with security breaches, 44% gave the responsibility to an IT executive and 35% gave the responsibility to different individuals, depending on the nature of the incident.

29% said the individuals responsible for the initial response depended on who was available at the time, while 24% gave the responsibility to the IT service desk.

When it came to responding to a data breach, 64% of companies had specified target times for responding to a major security incident. Those target times varies considerably from company to company:

  • Less than 15 minutes: 7%
  • 15-30 minutes: 17%
  • 30-60 minutes: 29%
  • 60-90 minutes: 29%
  • Over 90 minutes: 19%

Even though response times had been set, 76% of organizations said their response times were exceeded. Only 1% of respondents said issued were always resolved within the required time frame. 63% of companies exceeded the response time some of the time, and 13% said response times were exceeded most of the time.

The study backs up the findings of last year’s Ponemon Institute study commissioned by Lancope. The study was conducted on 674 IT security professionals from the U.S. and UK. 34% had not formed a response team to deal with incidents when they occurred and of those that had, many did not employ full-time staff.

Having a dedicated computer security incident response team can greatly improve the efficiency of the breach response. Many smaller organizations may not be able to employ full time staff to deal with security incidents, but individuals must all made aware of their roles and must be able to act immediately in the event of a security breach. Due to the importance of executing a breach response rapidly, organizations should not leave the responsibility to whoever is available at the time. Valuable time can be lost.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.