Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Security & Business ResilienceCybersecurity News

What’s an Incident Response Plan, Again?

By Bart McDonough
response-tcl
June 7, 2018

A company is never able to predict when or by what means it may be targeted in a cyberattack, but it can prepare a robust response plan in the event of a breach. That response – contingent on the team, corporate processes and the technology that supports them – will ultimately determine whether a company ends up on the front page of The New York Times next to Equifax with its clients’ information on the Dark Web.

The following scenario provides a look behind the curtain at a company that has just learned that their cybersecurity has been compromised as a result of a targeted malware attack. The real-world dialogue showcases the consequences of not having a well-prepared incident response plan and the chaos that ensues when trying to protect the company while coordinating with various support agencies, which leaves the business vulnerable and results in a disastrous reputational hit. 

Cybersecurity Consultant: IT, I got your text to call you ASAP. What’s up?

IT: Thanks for calling so soon, Mike; we’ve detected anomalous traffic indicating a cybersecurity incident. We found that a workstation was compromised with malware, and subsequently a large amount of data was leaked to an unknown system. What do we do?

Cybersecurity Consultant: I’m glad you texted me. We need to initiate your incident response (IR) plan immediately.

IT: Ugh, IR plan? Oh yes, yes. I remember we created something. Let me dig it out and send to you.

Cybersecurity Consultant: Ok… Try to send that to me as soon as possible.

 

[One hour passes. IT calls Mike.]

IT: Mike, I just sent you the plan.

Cybersecurity Consultant: I have it up in front of me. First question, have you ever tested this plan through a tabletop exercise?

IT: No… We couldn’t get the budget approved. We haven’t tested it yet.

Cybersecurity Consultant: Alright, next question: have you isolated the machine?

IT: Not yet, but we will.

Cybersecurity Consultant: Have you looked at the logs?      

IT: What logs?

Cybersecurity Consultant: Your SIEM (security information and event management) logs.

IT: Oh right, right. Our MSSP (managed security service provider) has those. What exactly am I looking for?

Cybersecurity Consultant: You want to make sure your MSSP is reviewing the logs for any current additional anomalous traffic, specifically to international hosts; we want to make sure this thing isn’t spreading.

IT: Ok, hold on a second, let me get them on the line, and then call you back.

 

[30 minutes pass]

IT: Mike, we were able to verify that no other workstations were affected.

Cybersecurity Consultant: Ok, have you isolated that machine yet?

IT: Not yet, we’re still working on it. It’s our VP of Sales’ machine, and we’re working on building him a new one right now.

Cybersecurity Consultant: Do you have a Forensics firm you work with?

IT: No, why? Oh, hold on, I just got an email, we’ve shut down that machine, and the VP of Sales is now up and running on a new workstation.

Cybersecurity Consultant: Great. Back to your IR plan, which includes communication and reporting. Do you guys have that under control?

IT: Communications and reporting? Ugh, to whom? Our customers?

Cybersecurity Consultant: And potentially the PCI Security Standards Council, employees; you know, all of the stuff we referenced in the plan.

IT: Dang; ok, we need to get Legal and Corporate Communications on the line, and maybe even our CFO.

Cybersecurity Consultant: Don’t forget your COO; she’s also part of the IR plan.

IT: Oh right, right; the plan. 

Cybersecurity Consultant: I’m ready to join the conference bridge.

IT: What conference bridge?

Cybersecurity Consultant: You know, the conference bridge that’s specified in your plan. We need to get all of the players on the line so we’re all on the same page.

IT: Oh, um, ok. I guess I’ll set that up.

Cybersecurity Consultant: Yes, immediately.

[Conference bridge is now live. Attendees: Cybersecurity Consultant, IT, COO, CFO, Legal, Corporate Communications]

IT: Team, we’ve experienced a cybersecurity breach, and this call is to initiate our IR plan. I’ve brought in Mike, Head of Security at our Cybersecurity Firm, to help guide and walk us through our IR plan.

CFO: What’s an IR Plan?

IT: You know, our Incident Response plan.

CFO: Incident Response?

IT: Again, we’ve had a cybersecurity breach.

Corporate Communications: Wait a minute, we’ve had a breach? What does that mean? Do we have to tell our customers?

Legal: Do we have to report this to any regulatory bodies or the FBI?

COO: Woah, woah, woah, is this going to affect business? We can’t stop operations. 

IT: The machine with the malware was our VP of Sales’ workstation; we’ve moved him onto another machine so we should be good, operationally.

COO: Great. So why do we need to be here? I’ve got work to do.

Cybersecurity Consultant: We need to know what data has been breached, before you can make decisions about your communication and next steps.

IT: According to our plan, we need to engage a Forensics firm with our MSSP.

COO: A Forensics firm? Why do we need a Forensics firm? That sounds a little drastic. Are we just wasting money here?

IT: They’ll identify the evidence we need to determine what we say and to whom.

CFO: Well, how much is that going to cost?

IT: I spoke to a couple of different firms, but we never got the green light for the retainer.

CFO: What about cyber insurance? I went to a conference a while ago; doesn’t that insurance cover and pay for something like this?

COO: I got a quote from an insurance carrier a while back, but we never went ahead with purchasing the policy.

Cybersecurity Consultant: Alright IT, next steps, I’ll send you some names of Forensics firms we recommend.

IT: Thanks. I’ll get on reaching out to them right away.

 

[Team disperses while IT speaks to Forensics firm. Two hours pass…]

IT: I’ve spoken with the Forensics firm; because we didn’t have them on retainer, they can’t come in for another 3-4 weeks, unless we want to pay their emergency rate of $1,000/hour.

CFO: Absolutely not, we’ll need to wait. That cyber insurance would’ve come in handy.

Corporate Communications: Legal, I don’t think we should communicate anything externally just yet. Do you agree?

Legal: Ugh, sure. I don’t even know what we’d say at this point. I might need to call that law firm that specializes in cyber breaches to get their recommendation. I’ll have to dig around for their contact info; it’s been a while.

 

[Four weeks later. The forensics firm has concluded their investigation.]

IT: Team, after working with the Forensics firm, they discovered that customer account information was part of the data set that leaked.

Corporate Communications: What do you mean “part of” the data set?

IT: Good news, bad news. When we isolated the problem, we took the machine offline to ensure the malware wouldn’t spread, but my team reimaged the machine before preserving it, which means we lost the ability for Forensics to conclusively determine if the customer account information was the only data that left the firm.

COO: In English, please. So what does that mean? Do we need to send something to our customers?

Corporate Communications: I’d recommend against sending anything. It’s been over a month now since the breach happened, and we still can’t conclusively state what information was really leaked.

Legal: I’m not sure that’s the right call. It was customer account information that was leaked.

CFO: Should we at least change the account numbers?

COO: Yes, probably.

Corporate Communications: How do we initiate an account change without telling our customers why?

 

Three weeks later, The New York Times reports that the company’s customer account information, including email addresses and phone numbers, have surfaced on the Dark Web.

 

No company is immune to cybersecurity risk – regardless of size, profile or value. This dialogue lays bare the risks companies open themselves up to with poor governance and cyber hygiene. Without a robust IR plan that’s withstood regular tabletop exercises, companies may severely compound the damage of a cyberattack. Indeed, mishandling the response or being otherwise ill-prepared can turn a minor data breach into a catastrophic event for a company’s reputation and its business.                                                                                                 

 

                                         

KEYWORDS: data breach notification data breach response Emergency Preparedness incident response plan IT security third-party cybersecurity

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Bart McDonough is the CEO and founder of Agio, a hybrid managed IT and cybersecurity services provider.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
close

1 COMPLIMENTARY ARTICLE(S) LEFT

Loader

Already Registered? Sign in now.

Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Insights on Emergency Management

    What it takes to create an impactful incident response program

    See More
  • Security Newswire

    What is a Critical Incident Response to An Active Shooter?

    See More
  • crisis-management-plan-fp1170x658v26.jpg

    Incident response plan: 5 basic steps to consider

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

  • A Leaders Guide Book Cover_Nicholson_29Sept2023.jpg

    A Leader’s Guide to Evaluating an Executive Protection Program

  • 150952519X.jpg

    Intelligence in An Insecure World, 3rd Edition

See More Products

Events

View AllSubmit An Event
  • November 20, 2024

    Digital Forensics in Your Incident Response Plan

    ON DEMAND: Organizations face increasingly sophisticated threats that can compromise data and disrupt business operations. This presentation will explore the role that digital forensics plays in an effective incident response plan using NIST and CISA playbooks as guides.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!