While a recent survey by McAfee and SAIC found that almost one in four companies had suffered a data breach within the last year, only a quarter had conducted forensic analysis following a breach, and only half had taken steps to remediate and protect systems after a breach or attempted breach.

In an ideal world, every organization would have a dedicated, in-house incident response team to handle both forensic analysis and remediation but, according to Larry Ponemon, chairman and founder of the Ponemon Institute, the reality is that relatively few companies have such teams in place.

“Probably one third of organizations have officially sanctioned incident response teams, maybe another third have an informal approach, a plan that’s not actually an officially-sanctioned team … and then the final third really don’t have anything in place,” Ponemon said. “They’re waiting for the other shoe to drop, and then they’ll figure out a way of dealing with it.”

For many companies, Ponemon said it makes sense instead to turn to a provider that offers incident response as a service, such as McAfee, Verisign iDefense, Dell SecureWorks, Mandiant, Sword & Shield or CyberEvidence. “More and more organizations are getting into this niche field, and quite frankly, I think they add a lot of value,” he said.

The point is that handling cyber attacks or security breaches the wrong way can cost a lot of money. “You can incur huge organizational costs, and soft costs as well, like reputation diminishment, customer churn,” he said. “So you have to think, is it better to have a consultant that’s bringing all of this expertise to the table, even if the cost is a substantial amount of money, or is it better to go it alone?”

Jeffrey Wheatman, research director at Gartner said the most highly-regulated industries like financial services, insurance or health care are far more likely to dedicate resources to incident response, but he still said he rarely sees a dedicated, in-house incident response team. “They’re certainly the exception rather the norm,” he said.

That’s generally because it’s hard for the vast majority of companies to justify the cost of maintaining a dedicated team focused on activities like analysis and forensics. “You have two options when you have an incident,” said Wheatman. “One is to get back up and running as quickly as possible, and the other is actually to figure out what happened -- and I think we all know that the former is much more common.”

When an enterprise considers turning to companies that offer incident response as a service, Wheatman said, there’s always an inherent Catch-22 because “[t]hose companies will probably have better expertise and capabilities to do that, but whether clients are going to trust them to do so, I think, is an entirely different question."

Still, it makes much more sense to delegate that kind of responsibility to a third party, simply because of the nature of the work. “You’ll sit around for days on end without anything happening, and then all of a sudden you have eight million hours’ worth of work to do in eight hours. And that’s where the third party would come in, because they’ll have a bunch of resources to allocate,” Wheatman said. “To have a full dedicated team in house is just going to be way, way too expensive.”

Bob Walder, chief research officer at NSS Labs, said most of the companies he’s spoken to don’t (and can’t afford to) have a dedicated incident response team. “Typically, we don’t find that sort of approach in anything but the largest Fortune 100 type enterprises,” he said.

Still, Walder said, that doesn’t mean other companies shouldn’t consider the idea. “Smaller organizations could adopt some of the techniques, without necessarily spending too much on additional resources. At the end of the day, it’s about balancing the risk and the cost.”

Carefully studying firewall and IPS logs, for example, can make a significant difference, whether that’s done by a dedicated team or just by a single individual; the techniques being used to mitigate risk often matter far more than the size of the teams employing them.

One enterprise he spoke to, Walder said, recently found that they had more than 2,000 machines on their network that had been compromised for over two years. “They’ve got their firewall, they’ve got their IPS in place but, presumably, what they weren’t doing was actually watching what was going on across their network in that time."

“In a lot of organizations, [firewall and IPS] logs are not studied carefully enough, and even the organizations that are looking at the logs are probably looking at them in isolation,” Walder said. “They need to start looking at what’s happening across their network, and try correlating some of the seemingly unrelated incidents.”

Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at jeff@jeffgoldman.com .