Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

You've been hacked - Now what?

If you're reading this article because of the headline, you're in trouble my friend.

By Brian Wrozek
SEC0920-hacked-Feat-slide1_900px
SEC0920-hacked-slide2_900px
SEC0920-hacked-Feat-slide1_900px
SEC0920-hacked-slide2_900px
September 9, 2020

Cybersecurity threats come in many varieties – criminals, nation states, malicious insiders, ransomware, phishing, malware…the list goes on and on. But just because there are a lot of moving parts to cybersecurity,  it doesn’t mean you can’t be prepared to respond to a data breach or other security incidents. If you’ve done your job correctly, you will never ask “now what?” when such an incident occurs, because you’ll already have an incident response (IR) plan in place that prescribes exactly what you need to do.

Cybersecurity IR is different from physical security IR, though. With physical security, the top priority is human safety, and then “catch the bad guy” is the second priority. So, you gather all your video and other pieces of evidence to help law enforcement find the perpetrator. Cybersecurity is different. Your top priority is mitigating the damage that’s been done, which may include getting the business back up and running. And, since the attacker is usually beyond your jurisdiction, it’s rarely a productive use of time to hunt them down, unless it’s an insider.
The good news is, it’s possible to put together a comprehensive and tested plan to effectively respond to cyberattacks. And, you don’t have to be a technical person to do this – you can be the facilitator of a cross-functional team that includes technical people (employees or consultants), as well as other relevant executives.

So, the question everyone needs to ask themselves is not “now what?” – it’s “how do I plan for this?” So, let’s take a look at how to create an effective cybersecurity IR plan.

 

First Things First – Build a Plan Based on Best Practices

The first step to building an effective cybersecurity IR plan is to adopt an industry-standard IR framework, such as NIST 800-61. This sets the foundation for your plan and dramatically reduces the dreaded “trial and error” that inevitably comes with “do-it-yourself” approaches. NIST 800-61 breaks down IR into four phases:

  • Preparation - Having an IR playbook in place is key so you’re ready for action should an incident occur. The playbook should define procedures, as well as the cross-functional team required for effective IR. It’s really the same thing as having a physical security IR plan – if someone breaks into the office, there should be a prescribed set of steps to take.
  • Detection and analysis - Detecting an attack is the first step in any IR plan. Analyzing where the attack came from (internal or external source) and what systems it touched are important for remediation efforts.
  • Containment, eradication and recovery - Preventing the attacker from moving anywhere else on the network or exfiltrating data (containment) and then ultimately removing them from the network is critical. Once the attacker is removed, recovery can begin – patching vulnerabilities exploited by the attacker, following steps to meet regulatory compliance, etc.
  • Post-incident follow-up - Reviewing how well the organization executed on its IR plan and applying those “lessons learned” so response can continuously improve is key as well.

Obviously, the preparation phase is the foundation on which to execute the other phases. Given it’s importance, let’s take a deeper look at this critical stage.

 

Building the Plan

First of all, if your expertise lies more in physical security than cybersecurity, fear not. There is always help to be had, either among internal technical personnel, or the plethora of outside cybersecurity consultants roaming the world today (ranging from solo practitioners to global consulting firms). These outsourced professionals can be put on an IR retainer, where they can help with everything from the preparation phase, straight through to post-incident follow-up.

At a high level, there are a lot of non-technical aspects to a cybersecurity IR plan that are similar to a physical security plan. For example, you need to choose someone to lead IR, assemble a cross-functional team, do periodic practice runs so people will know exactly what to do if something actually does happen, etc. The cross-functional team typically involves representatives from areas of the company that are responsible for different areas of activity required by the response. So, this would include:

  • CISO, CIO or both – Ransomware and breaches have become board-level issues, so there should be executive representatives on the team that can report directly to the CEO and the board.
  • Technical leads - These are people responsible for different parts of the company computing infrastructure – security, network, infrastructure, etc.  They gather computer logs and evidence to support the investigation (it is common to utilize third-party experts in the forensics efforts).
  • Legal - Cyber incidents often have liability issues attached to them. Legal counsel should be part of the IR team to evaluate how a particular incident might open the company to legal exposure, and provide counsel on how to mitigate that exposure.
  • HR –  Insiders are a major source of cyber risk, and if an employee causes a cyber incident, HR needs to be on the ground floor, so a legal and effective strategy can be developed to address the employee issue. Likewise, a cyber incident might be the result of a lack of employee training around cyber-safe behavior, so HR should also be directly involved in designing training programs that reduce the likelihood of this happening in the future.
  • Corporate communications professionals - Cybersecurity incidents create all sorts of internal and external communications challenges. If the company has to disclose the breach to comply with regulations, it could wind up being reported in the media. Likewise, if employees’ personal information has been compromised, they will need to be instructed on measures they should take to protect themselves. And, if it’s something catastrophic, like a ransomware attack, employees will need to understand how to continue performing their work while the situation is addressed.
  • Finance - Responding to a breach may require hiring outside experts or acquiring new technology very quickly. Having corporate finance on the cross-functional team can streamline the process of getting the right skills and equipment, as quickly as possible.
  • Risk management leaders - If there is a Chief Risk Officer, a Chief Compliance Cfficer, or something similar, that person should also be involved in the IR team.

Once the team is established, it is important to define the role of each member as well as communications protocols. This sets the framework for IR. From there, the team should work together to develop response plans for the different types of likely incidents: data breaches, ransomware attacks, denial of service attacks, insider data theft and more.

 

Testing the Plan

Creating a plan is an important first step; testing that plan is equally important. Failure to effectively execute on a plan is often just as bad as having no plan at all. According to the Optiv “State of the CISO” report, 36 percent of CISOs said they do not practice their IR plans at least once per year. Another 19 percent said they practice once per year.

Given the complexity of responding to a cyber incident, this level of practice is insufficient. And, when it’s time to execute on the plan, companies may even find that members of the original IR team are no longer with the company, or their contact information has changed, or new lines of business have started that are not accounted for in the plan. Given the pace of change in business, IR plans should be practiced and updated at least twice each year.

Testing often takes the form of tabletop exercises, where members of the cross-functional IR team spend half a day or more playing “war games” based on a variety of different scenarios. These exercises help team members internalize their responsibilities during a cybersecurity incident, and what steps they need to take based on different scenarios.

Additionally, it is an excellent idea to practice computer forensics processes because they help determine how the attack occurred, what type of attack it was, what damage the attackers did, and whether or not attackers are still on the company network.

A good way to practice forensics is to randomly choose a system and have the appropriate person conduct forensics on it. Capturing disk images and searching log files can take hours, so practicing will ensure forensics are conducted as efficiently as possible if an actual attack occurs.

 

Every Incident Creates New Questions

Some measures during IR are prescribed. For example, if your company is regulated and required to report a breach within 72 hours, that is pretty straightforward. But in cases where things are not that clear, many business and technical questions can arise. For example, if you’re hit with ransomware, do you call the police? If an intruder is still on the network, do you take emergency action and shut down your internet connection to stop data from leaving the company? Or, if it’s an insider attack, should you let the attacker continue so you can catch him in the act?

Questions like these will invariably come up – and in many cases, you may face questions you haven’t considered before. But, if you have a rehearsed plan in place and your IR team is executing properly, you will have more time and resources to dedicate to finding the best answer, rather than being distracted by endless firefights because you were not prepared for the incident. Put another way, you won’t have to devote any resources to figuring out “now what?” Instead, you can focus on the most important issues leading to the company’s recovery to normal.

KEYWORDS: cyber security incident response information security ransomware risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Brian wrozek 200px

Brian Wrozek is a seasoned cybersecurity executive with more than 20 years of experience in IT and information security and management. As CISO at Optiv Security, Wrozek oversees all corporate security functions including cyber operations, incident response, vulnerability management and security governance activities.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • insider threats freepik

    Defending against insider threats in a remote world

    See More
  • offboarding-sec-freepik1170x658.jpg

    Cybersecurity, physical security checklist for employee offboarding

    See More
  • Been Hacked? Let That Be a Lesson to You

    Been Hacked? Let That Be a Lesson to You

    See More

Events

View AllSubmit An Event
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing