Recovering From A Cybersecurity Incident

Ever feel like there should be a 12-step program for your cybersecurity career?  “Hello, I’m Bob and I’m a recovering cybersecurity professional.”  Doing the same old “defense in depth” stuff and still the barbarians get onto your network and wreak havoc.  Remember the definition of insanity?  “Doing the same thing and expecting different results.”  As with any 12-step program, the first step would be to admit that you are powerless against the cyber-attackers.

Am I joking?  Well maybe a little.  But suffering a cyber-attack, ransomware exploit, email account hijack, or data breach is inevitable.  The key to network security may not be how well we keep them off our network, but rather how well and quickly we can identity an incident and “recover” from an intrusion.

The defender’s dilemma is this:  You have to defend everything.  You have to find and close all the vulnerabilities.  But you also have to wait until after the zero-day attack to see how you are going to defend against the new exploit.  Defenders are always playing catch-up, and are always a step behind the attackers.

The attacker’s advantage is they only have to be good once, they only need a single hole in the defensive perimeter to reach their objective.

If we are going to focus on speedy and successful recovery from a cyber incident, what are the steps we need to take to build our “recovery” program?

  • Create an incident response plan – Pick your incident response team.  This should include a member of senior management, and your legal counsel. This may require a budget if tools are required.  Check out NIST Special Publication 800-61r2 for guidance.
  • Table-top exercises – Your incident response team should schedule practice sessions 3 or 4 times a year on simulated intrusions to learn the skills needed to work together during an actual crisis.
  • Legal and regulatory compliance – Your plan should include the required notifications if the information that is breached is covered by law or other governmental or industry regulations.
  • Cyber insurance – Recovering from a breach can be costly.  Cyber insurance is one way to fund that expense.  If you haven’t looked at cyber insurance recently, premiums are more affordable than then were a few years ago.
  • Seek professional help – Small companies do not usually have the talent they need to recover on staff.  Check to see if your computer support company is able to supply cybersecurity professionals.  Line up the expertise you will need in the fields of cybersecurity, computer forensics, public relations and cyber law.
  • Prepare for public exposure – When your company’s breach goes public, and the KARE 11 news team is sitting in your parking lot, it is too late to draft a statement.  Prepare for this eventually as well.  Be honest, be transparent.  Your company had an incident. (NOT a breach.  A breach triggers legal notification requirements.)  Your recovery team is analyzing the situation and you will have more information as the investigation progresses.
  • Law enforcement – Should you report your incident to the police?  Your cyber insurance policy may require it if you plan to make a claim.  Understand that once the police are involved, you no longer control the direction of the investigation.  You may want to call the FBI.  But for sure, you want to report your incident on the Internet Crime Complaint Center (

Preparing to recover from the inevitable computer incident will help your company reduce the overall expense of the recovery, and prevent costly and unfortunate missteps.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.