Incident response: Preparing for and responding to a cyber attack

It’s not a crime to be attacked; you can’t stop being a target. It’s not a crime even to be breached; threats come from many directions and are highly sophisticated. The real problem is not realizing you’ve been breached, and failing to react in a planned and coordinated manner.

As many organizations have learned – often the hard way – cyber attacks are unavoidable and breaches will happen. Attackers are increasingly relentless: when one tactic fails, persistent adversaries will try others until they breach an organization’s defences. At the same time, technology is increasing businesses’ vulnerability to attack through increased online presence, broader use of social media, mass adoption of mobile devices, increased usage of cloud services and third parties, and the collection and analysis of big data.

Cyber attacks are complex and motivated by complex factors, ranging from ideology and financial gain to commercial espionage and even nation state-driven agendas. The threats are constantly evolving, targeting all industries, while becoming more prevalent and high profile. Today’s cyber criminals are patient, persistent and sophisticated – and they attack not only technology, but increasingly people and process weaknesses.

Organizations that prepare for the inevitable cyber attack can be better prepared to react effectively and manage brand damage post-breach. However, there are a number of challenges:

  • Major breaches don’t happen every day, so it is hard to maintain the necessary standard of vigilance and readiness to be able to respond at a moment’s notice.
  • Responding quickly, in a calm and structured manner, is very difficult without prior planning.
  • Detecting an ongoing attack before it becomes a breach can be almost impossible without a security monitoring capability.
  • Steps taken in the early stages of a response can be critical to the success of the response; however, many key decisions must be made rapidly with incomplete information.
  • Managing multiple stakeholders in a time of crisis is vital, but challenging – most organizations’ stakeholders now include the company, its board and shareholders, its employees and customers, regulators, law enforcement, the media, and insurers, among many others.
  • Balancing in-house response capabilities and those that the organization outsources can be difficult, but must be determined in advance of an incident.

Organizations that have an incident response plan, which has been tested with an experienced team, can find the impact of a breach significantly reduced.

Of critical importance is identifying and engaging with third parties, both those involved in regular business with the company and those, such as law enforcement and specialist lawyers, who may be involved in the event of a breach.

Organizations with advanced cybersecurity capabilities will leverage cyber threat modelling to not only identify the top threats, but also prepare responses and countermeasures to these.

A response plan solely focused on and run by the organization’s IT department is destined to fail. An effective response involves all aspects of the company, from the CEO to HR, general counsel, media relations, among many others.

Read more here.

EY Legal Services Contacts:



Peter Katko – Global Digital Law Leader




Fabrice Naftalski – Global Data Privacy Leader




Monika Menz – Senior Manager, IP/IT Data Privacy