5 ways to contain your next (inevitable) cybersecurity breach quickly

Experts weigh in on the most important strategies to detect and resolve cyber attacks


When the average organization experiences 26 cyber attacks per year, being prepared for the aftermath of a breach is just as important as prevention.

With the ever-evolving nature of attacks and the increasing complexity of organizational systems, it’s harder than ever to have a fast response ready to go for any potential scenario that might arise. Case in point: a recent survey of 1,200 organizations by ThoughtLab (and cosponsored by Elastic) shows that more than a quarter of executives fear their organizations aren’t fully prepared for cyber attacks. 

However, Cybersecurity Solutions for a Riskier World also reveals best practices for incident response and recovery from the top cybersecurity executives in 16 countries and across 14 industries. In the unfortunate event of a breach, prioritize these tactics for more effective incident response and recovery. 

1. Don’t get too comfortable with your incident-response plan

We all know that today’s plan may not stand up to tomorrow’s threats. Among the 73% of the most advanced organizations that reported achieving effective response planning, survey respondents named two priority investments for the next two years:

  • Developing an incident response plan
  • Conducting regular penetration tests

As a chief operating officer of an industrial company in Brazil said, “[The] top initiative that we have taken [...] is regularly testing all the security incident management plans to assess their effectiveness and to update them with time.” 

To ensure your plan and your tech are robust enough to withstand evolving challenges, be sure to prioritize appropriate investments of time, talent, and resources. That means creating workflows and utilizing systems to regularly test, drill, and update your plan on a frequent cadence.

[Related article: How top global CISOs protect their organizations amid rising threats]

2. Have a crisis-communications game plan ready to go

You may be able to patch a systems breach quickly, but repairing the damage of broken customer trust is a much more complicated exercise. Reputational damage can have long-term ramifications, so much so that 37% of organizations believe diminished brand value is the costliest element of a security incident. 

The research shows, however, that crisis communications may slide down the priority list as organizations naturally focus on the technical aspects of cybersecurity. Just over half of the most advanced organizations reported that they had achieved effective crisis communications. Even more telling, communications plans had the lowest ranking among all response measures analyzed in the report. 

Your takeaway: If your organization isn’t up to speed on this yet, you’re not alone. But now you also have a call to action to start preparing. Some things to consider:

  • Meet with your Communications or Public Relations team and to walk through a hypothetical cybersecurity incident. Plot out the key moments of a breach timeline from discovery through remediation and recovery. 
  • Ask your Comms team to sketch out a communications plan that parallels the Security team’s timeline. Remember, controlling the flow of information is vital, so have them detail who needs to be notified and when. Gaining visibility into their process can give you and your team a better understanding of the challenges of crafting messaging, getting approvals, and notifying the media and customers. Giving your Communications team the opportunity to create boilerplate copy that addresses likely scenarios can ease the entire process when an incident occurs. 
  • Your incident response plan probably already details a process and trigger events for contacting law enforcement. But be sure to review these procedures with your Communications team in advance, so they can be prepared if any official reports are made public before the company makes an announcement. 

[Related article: Why cybersecurity needs to be everyone’s job — and 4 steps to get started]

3. Harness the substantial benefits of automation

Cybersecurity breaches are designed to go unnoticed. That’s why reducing the risk of human error is so critically important. However, only 26% of organizations currently use advanced analytics such as artificial intelligence (AI) and machine learning (ML) to identify security vulnerabilities and threats. 

Automation makes sense on multiple levels. As one chief operating officer of an entertainment company in India said, “We have cybersecurity automation in place which reduces workload for analysts and boosts efficiency, while better protecting our company’s data.”

The potential upside is significant. The organizations that do use these technologies report seeing major advantages in their ability to detect and respond to threats, specifically when it comes to reducing dwell time and time to mitigate.

4. Prioritize creating and testing backups

Forty percent of organizations expect ransomware to pose the highest risk in the next two years. The most effective way to achieve a defensive posture in that risk landscape is to invest in creating, maintaining, and testing backups and disaster recovery assets.

Yet not all organizations have taken advantage of this proven tactic. On average, organizations reported:

  • Having less than 60% of their mission-critical systems covered by backups
  • Conducting backup restorations only once a quarter

What’s the best way to ensure your backups are safeguarding your most important data?  “Backups should be kept separate from network connections that might allow ransomware to spread,” advised a CTO of a retail company in Australia. “Backups must be kept offline since many ransomware variations seek to locate and encrypt or remove accessible backups.”

5. Improve security controls for expanded attack surfaces

Digital transformation, cloud migration, remote working, and supply chain complexity have all contributed to the expansion of the attack surface. As IT environments grow and multiply, organizations need to apply sufficient security controls. 

The research shows that the most advanced organizations are preparing their systems by investing in solutions that provide continuous monitoring and access controls. Topping the list are security information and event management (SIEM) and identity and access management (IAM) technologies. 

Also worth noting, a quarter of advanced organizations have also already invested in cloud workload protection platforms.

[Related resource: Get more data into your SIEM while increasing operational efficiency]

Don’t wait for a breach to act

Focus on preventative measures as much as possible. Organizations that ranked themselves the most advanced across all areas of the NIST framework — detect, protect, identify, respond, recover — out-performed their peers on the time to detect and respond to breaches and implement patches. Ultimately, the most advanced organizations that were continually optimizing their cybersecurity posture experienced fewer incidents.

Check out our special report “Cybersecurity Solutions for a Riskier World” to learn more about how the most advanced organizations manage the risk of breaches.