Recovering From A Cybersecurity Incident

Ever feel like there should be a 12-step program for your cybersecurity career?  “Hello, I’m Bob and I’m a recovering cybersecurity professional.”  Doing the same old “defense in depth” stuff and still the barbarians get onto your network and wreak havoc.  Remember the definition of insanity?  “Doing the same thing and expecting different results.”  As with any 12-step program, the first step would be to admit that you are powerless against the cyber-attackers.

Am I joking?  Well maybe a little.  But suffering a cyber-attack, ransomware exploit, email account hijack, or data breach is inevitable.  The key to network security may not be how well we keep them off our network, but rather how well and quickly we can identity an incident and “recover” from an intrusion.

The defender’s dilemma is this:  You have to defend everything.  You have to find and close all the vulnerabilities.  But you also have to wait until after the zero-day attack to see how you are going to defend against the new exploit.  Defenders are always playing catch-up, and are always a step behind the attackers.

The attacker’s advantage is they only have to be good once, they only need a single hole in the defensive perimeter to reach their objective.

If we are going to focus on speedy and successful recovery from a cyber incident, what are the steps we need to take to build our “recovery” program?

  • Create an incident response plan – Pick your incident response team.  This should include a member of senior management, and your legal counsel. This may require a budget if tools are required.  Check out NIST Special Publication 800-61r2 for guidance.
  • Table-top exercises – Your incident response team should schedule practice sessions 3 or 4 times a year on simulated intrusions to learn the skills needed to work together during an actual crisis.
  • Legal and regulatory compliance – Your plan should include the required notifications if the information that is breached is covered by law or other governmental or industry regulations.
  • Cyber insurance – Recovering from a breach can be costly.  Cyber insurance is one way to fund that expense.  If you haven’t looked at cyber insurance recently, premiums are more affordable than then were a few years ago.
  • Seek professional help – Small companies do not usually have the talent they need to recover on staff.  Check to see if your computer support company is able to supply cybersecurity professionals.  Line up the expertise you will need in the fields of cybersecurity, computer forensics, public relations and cyber law.
  • Prepare for public exposure – When your company’s breach goes public, and the KARE 11 news team is sitting in your parking lot, it is too late to draft a statement.  Prepare for this eventually as well.  Be honest, be transparent.  Your company had an incident. (NOT a breach.  A breach triggers legal notification requirements.)  Your recovery team is analyzing the situation and you will have more information as the investigation progresses.
  • Law enforcement – Should you report your incident to the police?  Your cyber insurance policy may require it if you plan to make a claim.  Understand that once the police are involved, you no longer control the direction of the investigation.  You may want to call the FBI.  But for sure, you want to report your incident on the Internet Crime Complaint Center (

Preparing to recover from the inevitable computer incident will help your company reduce the overall expense of the recovery, and prevent costly and unfortunate missteps.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.