Fresh Thoughts #22: Incident Response: What Most Companies Do & How To Respond

fire fighters putting out a burning car

Last week a new contact asked the classic question, "What do most companies do in this position?"

So I thought it best to talk about Incident Response.

This week, I'll answer the question directly. And next week, Part 2 will be about the time a teenage girl broke her back and I had to respond… 😬

What Do Most Companies Do in This Position?

Once the shock of a data breach or ransomware attack subsides, everyone starts asking the question…

What do most companies do in this position?

Well. That depends…

Do you have a plan? Has it been practised?

If yes, people slot into place and focus on delivering the plan.

Unfortunately, relatively few companies have a plan. So most companies do the same thing…

It starts with rapid loops of:

  • Has the ____ server been impacted?
  • Should we tell ____ about this?
  • Have you checked ___?

Then it moves into the phase of:

  • Right, so it's impacting these systems, but not those…
  • How do we restart our business?
  • What pieces do we have to rebuild from?


  • Ok - it's going to take 2 weeks to rebuild that…
  • That's the priority…
  • We can get our team back on emails and access to shared documents in 3 days.

It may surprise you, but what naturally happens is close to what you should plan to do.

The difference - having a plan reduces the time to take action and the amount of pressure your team feels.

It's easier to decide - Am I going to pay this ransom? - when there isn't a timer counting down in front of you.

How to Respond to an Incident

There are two fundamental reasons to create an incident response plan:

  • to reduce the time your business is offline (and losing money…)
  • to offload stress and decision-making from an incident to a convenient time

But in terms of actions - there are 6 steps:

  1. Preparation: If you plan ahead, you can do the thinking before the incident occurs. What's the board's view on paying ransoms? (We suggest - Don't.) Who needs to be involved? What are the steps to take?
  2. Identification: Spotting a data breach or ransomware infection can come from many different places… But who decides that an incident has occurred? How do they get the information to choose?
  3. Containment: The first step in fixing the situation is to get it under control. To contain the spread of the malware. To understand the scope. This step is crucial, and preparation for this step often rests on asset management.
  4. Eradication: How are you going to remove the malware? Is it going to be complicated surgery - investigating the intricate workings of each system and deleting files and processes by hand? Or will it be a restore from the last known good configuration before the incident? This step will likely lead to questions about logging, what “good” looks like, and when backups are captured?
  5. Recovery: Restoring the business to operational capacity…
  6. Lesson's Learned: Plans are great, but experience is better. And experience will tell you that mistakes will be made and changes required. It's better to find this out early, which is why simulations are valuable. Does each person in the team know what to do?

This is not a million miles from what emerges from unplanned events, but it will be a million times less stressful.*

* - not statistically accurate, but....

July 5, 2022
3 Minutes Read

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Related Reads

privacy please sign

Fresh Thoughts #21: The "I've got a policy you can use..." Insult

Cybersecurity policies have a bad reputation. It's well deserved, but it doesn't have to be this way.

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868