November 17, 2023
5 Things Company Leaders Need to Know if They’re Breached
The best time to make decisions about cyber incident response is before an attack ever takes place.
I’ll be honest. When it comes to cybersecurity, I hate the familiar refrain of, “It’s not if, it’s when.”
That’s a bit fatalistic, and companies can protect their environments without resigning themselves to the idea that they’ll inevitably be breached. I think of incident response the same way I think of fire safety: While it’s important to plan for the worst, no one says, “It’s not if we’ll have a fire, it’s when.” Don’t get me wrong, there’s absolutely more likelihood of a cyberattack than arson. But there are also things you can do to better protect your organization and be better prepared if something does happen.
Funny enough, most companies have detailed fire safety plans, and most business leaders know exactly what steps to take if the office microwave goes up in flames. (Call 911, deploy the fire extinguisher and get everybody out through the nearest safe exit.) But often, company leaders have little idea how they would respond when faced with a major data breach or ransomware incident.
Here are five things that all IT and business leaders should know:
1. When to Kick Off Incident Response
Many companies are drowning in alerts, and IT leaders are wary of crying wolf for a false alarm. But too often, we see the opposite: catastrophic incidents that could have been prevented, if only someone had been notified sooner. Solutions such as Sophos MDR (managed detection and response) can help organizations wade through the noise in their traffic logs and sniff out the alerts that really matter.
2. Whom to Call First
This sounds like an easy question to answer, but in reality, it requires deliberate decision-making — and the answer might vary, depending on the incident. But just as you would immediately call 911 if there were a fire in the breakroom, you need to know exactly where to turn as soon as you see that you’ve been breached. Sometimes, this will be an internal call. For organizations with a Sophos Incident Response Services Retainer or similar service, the call is more likely to be external.
3. Which Systems to Prioritize
When an entire environment goes down, every business unit will have a different opinion about which applications should be brought back online first. That’s why it’s so important to make these decisions before an incident ever occurs. By creating a priority list for the organization’s systems, IT leaders can ensure that employees have the tools they need to navigate the crisis and continue to meet the organization’s mission.
4. How Much an Incident Will Cost
There are a lot of areas of uncertainty in the wake of a cyber incident. Cost shouldn’t be one of them. Business and IT leaders need to have a good idea of how much downtime will cost the organization and how much it will cost to remediate the damage caused by a cyberattack. These calculations might persuade company leaders to invest in managed risk offerings or other tools that can help prevent incidents from happening in the first place.
5. The Impact on Staff
At Sophos, we are often the initial point of contact for people on the worst day of their working lives. The professionals who do incident response for a living love being able to get organizations back on their feet, but for others, responding to a cyberattack can lead to massive burnout. I’ve even seen entire teams leave their companies after incidents. By engaging with an external partner before an incident occurs, organizations can get back to normal as soon as possible while minimizing the impact on their own employees.
Story by Kris Wayman