You are driving in your car with your 10-year-old son in the passenger’s seat. A ball bounces in front of your car and you hit the brakes hard while simultaneously throwing your arm in front of the child, acting almost automatically. That’s called muscle memory, and it is a big part of what organizations need when responding to cyberattacks.

Cyberattack Defense Is Muscle Memory

When asked how to launch an effective cyberattack defense effort, most people give technology-related answers: Beef up the firewalls, fortify the network, and deploy better intrusion detection and security analytics solutions.

While technology is certainly important, the responses coming from your organization during and following the attack — the human side of the equation — are even more vital. Yet despite a wealth of good advice, I estimate that in 8 of the last 10 large-scale breaches, the response from the organization under attack did as much or more damage than the attack itself. Most of that damage was reputational.

Why is that? Very few C-level executives have been trained in crisis leadership. They seldom have to make urgent decisions in near-real time. The usual practice is to build a team around executives to provide input. They carefully study these inputs and weigh them against other information to develop a set of options. Eventually, they fashion a response. This could happen days or weeks later — or, in some cases, not at all.

The Worst Response Is No Response

That explains why the response to a major breach is so often little or no response at all. Often the blame is directed at some vague state-sponsored source when, in reality, the company has no legitimate suspects because attribution is very difficult. That’s when problems arise beyond the actual damage from the breach. Customers worry about their personal information. Suppliers and partners get antsy. Tort lawyers start to circle overhead. Confidence in the organization drops while suspicion mounts.

Most all of this post-attack damage is avoidable and unnecessary. First, all organizations must presume that they will fall victim to a major breach at some point. There is no safe harbor, as should be evident to anyone listening to the news these days.

Second, the management team needs to undergo in-depth training in crisis management when an attack does happen. This team needs to prepare and rehearse responses for customers, suppliers, regulators, the media and the board. Of the 50 states in the U.S., for example, 47 of them have their own unique breach disclosure laws. You must develop a plan in advance that comply with these laws specific to any states in which you do business. These responses must be ingrained as executive muscle memory.

Filling the Gaps

To help IT professionals thoroughly prepare to deal with cyberattacks, IBM opened its X-Force Command Center (XFCC), a simulator designed to train executives in the crisis leadership skills they’ll need to respond to a breach. In the all-day course at the XFCC, teams will first experience a highly realistic, simulated cyberattack. They’ll be exposed to the variety of ways the technical staff tries to detect and stop the attack and then swing into recovery mode.

Participants will spend the second half of the day planning the proper response steps and rehearsing them. The central idea is to infuse executives with the confidence and experience of doing something that their MBA training and business experience likely failed to address. Leadership during a cyberattack defense effort requires a full-throttle response in hours, not days or weeks.

Discover How IBM X-Force Command Centers Are Changing Security

A Predetermined, Definitive Response

Think back to the Tylenol scandal of 1982, when criminals tampered with bottles and laced the pain-relieving pills with poison that killed several people. Tylenol’s maker, Johnson & Johnson, immediately removed the product from all store shelves, even though there was no indication of a manufacturing problem. The parent company trusted its brand to survive such a hit, and indeed it did. The company was widely applauded for its leadership in a time of crisis and its near-instant response.

Breaches will continue to happen, possibly even at an accelerated pace, given the growing interconnectivity all around us and the expanding threat surface that comes with it. The worst thing a company can do in response is what so many end up doing — nothing. Instead, be prepared to meet the crisis with predetermined, definitive responses.

Learn More

Interested in learning more about how IBM’s X-Force Command Centers will help clients stay ahead of the most advanced threats?

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…