The reality of the current cyber environment is harsh, and no matter how well-funded or how skilled a security team may be, there’s a good chance they’re not quite as prepared as they think.
Verizon’s most recent Cost of a Data Breach Report found that more than 10,000 breaches were reported last year, exposing over 8.2 billion records. With an “average” cost nearly $5 million, you can imagine the toll of mega-breaches that are making global headlines. The true financial and reputational toll of a breach is incalculable.
While it’s tempting to think that experience and planning can shield an organization from an attack, the simple fact is that incidents happen. No matter an organization’s size, malicious actors target networks for financial gain or strategic advantage. Cybercriminals and nation states are relentless, skilled and constantly evolving. For most companies, it’s not a matter of “if” they will face a breach but “when.” Despite best intentions, no company is prepared for the moment that “when” turns to “now.”
There are several misconceptions fueling an inflated sense of security. Only by acknowledging these limitations can organizations begin to effectively address the challenges when it’s their turn under the gun.
‘Our Plan Will Guide Us Safely Through a Crisis’
Incident response (IR) plans have been an essential component of most companies’ cybersecurity strategy for a long time. But when an attack takes place and the rubber meets the road, many IR plans tend to be overly strategic and somewhat theoretical, lacking real value for security teams on the ground who are trying to mitigate the impact. In practice, they often fall short because the plan does not include the detailed information necessary to address the chaotic, real-world nature of a cyberattack and the high-stress decision-making that takes place when an attack occurs.
When talking with firms specializing in cybersecurity, we hear the same thing almost without exception: “We’ve never once used a company’s IR plan as part of our process.” These plans often are too high-level, updated once a year at best, and predominantly focus on broad, strategic directives. When an attack occurs, the immediate need is for clear, actionable steps that reflect the dynamic, evolving nature of the breach, not just an outline of who should be informed and when.
‘We Nailed Our Tabletop Exercise, So We’re Ready’
While tabletop exercises are valuable tools for familiarizing teams (and especially leadership) with incident scenarios, they fall short when it comes to executing in the face of the complexities of a real-world attack.
It’s hard enough to gather multiple departments — legal, compliance, IT, public relations and senior leadership, to name a few — with their own priorities and spread out across multiple locations and time zones during times of real crisis. Now, imagine trying to get a half-day block into calendars for what many of the employees who are needed for the tabletop to be effective — are likely to write off as an inconsequential training exercise. To maximize participation and secure critical buy-in from across departments, organizations should consider hybrid or staggered exercises that mimic the complexity of live incidents.
When the time comes, most internal teams — no matter how recently they’ve had their last training — will default to what they know. In times of crisis, people will inevitably drop everything and start executing. That often means they do it without planning or following existing procedures, if those even exist.
‘Worst Case: We Break Glass and Experts Come to Rescue’
Many organizations fall prey to the “heroic expertise” fallacy. That’s the belief that if something catastrophic happens, expert third parties who are external incident response teams, lawyers, and consultants will swoop in and save the day. While third-party experts are certainly skilled at what they do, it takes costly time to develop the understanding that will allow them to be effective.
Additionally, during large-scale cyber incidents, your company is not the only one calling for help. If multiple organizations are affected, external IR teams and law firms may be overwhelmed, with larger companies — often with bigger budgets — taking precedence. It’s a harsh reality: Expert help is often in high demand, and when everyone faces the same crisis, response times can be slower than anticipated, even if you’re paying through the nose for it.
Building Cyber Resilience in an Unpredictable Landscape
No organization is truly prepared for a cyber incident. Attacks are unpredictable, messy, and fast-moving, and no amount of planning can fully eliminate the risks. That said, proactive planning is critical in reducing potential incident impacts. Successful organizations recognize the inherent uncertainties and complexities of a breach, even a small one, and take steps to prepare much more thoroughly.
The goal isn’t to achieve perfect preparation. That’s impossible. Rather, it’s to build resilience, flexibility, and the organizational muscle memory to respond effectively when the inevitable occurs.