Being prepared is the first line of defence. Organisations should assume that a breach is inevitable, and prepare accordingly. Identifying a breach quickly and accurately is the first step.
Even major incidents ‒ such as the one involving Yahoo in 2013‒14, in which 3 billion accounts were compromised ‒ can go unnoticed for a significant amount of time, and the current average is 100 days for an attack to be identified.
Next, clear roles and responsibilities need to be assigned so that, should an attack occur, the response will be fast, decisive and concerted.
Who can authorise the shutdown of part or all of a network to prevent the hack from spreading? Who can sign off a ransomware payment? Who will manage communications? Who will ensure the Information Commissioner is informed within the deadline?
One of the most important roles will be that of the company spokesperson.
Companies that are perceived to be open and honest about a breach suffer significantly less brand damage than those that appear to cover things up or deflect responsibility.
The strategy you adopt should focus on finding a technical resolution, but other aspects should also be considered.
For example, the operational implications and management of legal and regulatory risk plus the most effective means of tracking and reporting.
Another factor to bear in mind is that an attack may, initially at least, have a limited impact. Many enterprises underestimate the value of sharing intelligence when a potential threat is uncovered.
Alerting all relevant departments and people within the organisation to a potential threat will reduce the chance of the threat recurring elsewhere in the enterprise.