It’s late on Friday afternoon when you receive a suspicious alert: “Unusual activity detected” on a critical IT asset. Panic sets in as the clock begins ticking. You know you need to quickly lock down systems to prevent propagation and assess any potential damage.

Can your in-house team identify the cause, contain the damage, and recover? And importantly: can they prevent a future incident?

The NCSC (National Cyber Security Centre) says good cyber security facilitates better cyber resilience: the power to protect your business from, respond to, and recover from a cyber attack, data breach or service outage.

According to data from IBM/Ponemon Institute’s 2022 Cost of a Data Breach, having a Cyber Incident Response Team (CIRT) and a well-tested plan in place could lower the cost of a breach by nearly 60%.

But while an in-house CIRT is one option, it can also be costly. Keeping the team trained in the right skills takes time and money, but low utilisation means your team may need to gain routine experience to mitigate a major incident when the crucial time comes. 

Having an Incident Response (IR) Retainer with a trusted cyber security partner could be an alternative to a CIRT. Or it could act as a force multiplier, to offer the necessary level of proactive and reactive support you need to manage cyber security risk effectively.

Implementing an IR Retainer agreement before a breach occurs could save your company stress, time, and money.

Whether you’re exploring an IR Retainer for the first time or already have a partner in place, identifying the right capabilities to integrate with your internal security operations is essential. 

1. Is there 24/7 global support and guaranteed SLA? 

During a breach, seconds count. The faster you can track down threat actors and stop them, the less damage will result. An IR Retainer partner should provide 24/7 global support with a guaranteed SLA in one hour or less, along with periodic check-ins during downtime to stay up to date on your organisation’s security posture.

2. What about insights ahead of the threat?

The best way to manage cyber security threats is to prepare for them. An effective IR Retainer should include best practice advice and recommendations on improving your risk posture based on the unique needs of your organisation and the threats you face.

3. Does it include threat detection and mitigation?

When an incident occurs, you need a partner that can conduct urgent triage and advise on immediate action to neutralise the threat. An IR Retainer partner should be able to provide remote assistance and/or on-site support with specialised tools and technology to identify and contain a breach.

4. What’s the return on investment?

An IR Retainer partner can be a force multiplier that allows you to tap into critical expertise in the event of an incident. But it should also provide ongoing value by offering insights, intelligence, and tested experience on how to better protect your organisation all year long. Look for a partner with the flexibility to apply unused days or hours to other cyber security solutions to bolster your resilience.

5. Are advanced digital forensics included?

The ability to analyse evidence and adapt your defences is a key component of incident response. An IR Retainer agreement should include a thorough investigation and threat analysis to understand how and why a compromise happened—and most importantly, how to prevent it in the future.

6. What about post-event consulting services?

Beyond the technical aspects of managing an incident, there are also downstream matters to address, such as regulatory issues, if/when/how to make a public statement and other media and public relations concerns. After all, damage to your reputation will be a serious concern if news of a breach is not handled well.

IR Retainers could offer the scalability, experience, and near-instant coverage you need to go to work quickly and put time on your side when it matters most. But choosing the right partner can make a critical difference in reducing a cyber security incident's time, cost, and reputation damage.

Learn more about strategies to enhance your organisation’s readiness and resilience—download NCC Group’s guide to Incident Response Retainers or get in touch with NCC Group.

For more insights on the latest cyber-security threats to businesses, see our Cyber Security hub.

Please note that the views and information have not been endorsed, issued or approved by NatWest. Any views expressed in this content are not necessarily those of NatWest.