Reducing the Impact of Breaches
In today’s cybersecurity landscape, a phrase is gaining popularity: ‘It’s not a matter of if, but when a breach will happen.’ The menace of Advanced Persistent Threats (APTs) evolves quicker than defenses can be developed. While stopping breaches remains the primary goal of cybersecurity, reducing the impact a breach can cause is just as vital.
It is crucial for an Incident Response (IR) plan to be developed before needing it. If your stovetop was engulfed in flames, it's not the best time to begin thinking about investing in a fire extinguisher. Once a breach occurs, it’s too late to put together a plan. The response plan must include all departments within the organization to succeed. Not relying solely on the IT department. However, being prepared to challenge any threats requires setting a foundation.
Preparation itself matters more than perfection. As Eisenhower captured this mentality perfectly: “Plans are useless, but planning is indispensable.” The Incident Response plan itself is crucial, while playbooks are secondary. It’s impossible to create a playbook-based response for all scenarios. But by knowing your tools, personnel, and system account information before a breach occurs, your plan will already be several steps ahead. As stated earlier, the IT department may not be the only ones involved in responding. Are there any legal repercussions to experiencing an incident? Such as compliance or required by laws like HIPAA on reporting loss of Personally Identifiable Information (PII) to local authorities.
“What should an Incident Response plan include?” As a job seeker writes a resume for themselves, no one else can write it for them. Only your team knows how your environment operates. Common IR templates will cover the general policy outline items (Cover Page, Executive Summary, Purpose), with sections to include relevant playbooks. A good starting point to create an IR Plan is to select a framework, such as NIST 800-61’s IR four-phase lifecycle:
1. Preparation
2. Detection and Analysis
3. Containment, Eradication, and Recovery
4. Post-incident Activity
Incorporating scenario-based playbooks may be beneficial to know on the department level, but if the technology or platform changes within the organization, the IR Plan must be rewritten. Focus on the steps each department should take to remediate an incident and their involvement. Create Containment strategies of how the team will contain the threat, contrasted with a playbook for every type of attack? The departments must identify roles and responsibilities to conduct containment strategies.
Uncommon questions to review:
What does your organization classify as an incident? (Data loss vs account compromise.)
Who has privileged access to contain an asset? (Servers, account sessions, email)
Who can authorize containment of a critical system that may cause disruptions to operations? (Will removing network access interrupt business operations?)
Is your plan printed for offline review? (Workstations or file servers may be unavailable.)
How can you reduce single points of failure? (Can others conduct containment strategies?)
One of the final-and most significant -steps in building a resilient plan is to continuously maintain and exercise the Incident Response plan to reduce the impact of an attack. When an incident is underway, chaos will ripple throughout the organization. Systems can be unavailable, communication disrupted, and uncertainty can cause panic. Discovering the IR plan has faults during this chaos is not ideal. Testing the plan during a mock exercise provides peace of mind that the organization is ready. Quarterly reviews of the plan keep your team focused, with everyone knowing their roles. Establishing a cyber “muscle memory”. Where decisive, coordinated action becomes second nature. How well does your team coordinate with other departments during an incident?
Sidener Cybersecurity Services supports organizations in leading tabletop engagements that uncover operational gaps, validate capabilities, and strengthen team cohesion. These exercises aren’t just practice—they’re proactive defense.
