Preparation is a vital component to mitigating cyber threats. As the saying goes, “Fail to prepare, prepare to fail.”

Be proactive and plan ahead, and make provisions for as many potential cybersecurity breach scenarios as possible and make sure you have a documented Incident Response Plan that covers them. If you’re starting from scratch, The National Institute for Standards and Technology Special Publication 800-61 (NIST SP 800-61) provides detailed instructions on building an incident response capability, including a handy incident response checklist.

With that in mind, we recommend you employ the following strategies to respond to security breaches.

Three Strategies to Respond to Security Breaches

1. Containment

Don’t delay your response once an intrusion is identified. Do carry out your containment procedures with expediency. Containment strategies will vary, depending on the nature of the attack. In some cases it will be appropriate to shut down affected systems quickly. In others, you will want to keep them up and closely monitor the attacker’s activities in order to gain additional detail that will be helpful during the remainder of the response. Having a comprehensive Incident Response Plan to guide your actions can be the difference between success and failure.

2. Eradication & Recovery

Once the incident is contained, it’s time to start cleaning up the mess. Do rely on your Incident Response Plan to guide Eradication & Recovery efforts. During eradication, you will identify all affected systems and perform activities appropriate to the incident type, such as removing malware or changing passwords on breached user accounts. Recovery activities typically involve actions like restoring files from backup, or installing missing security patches. These efforts are intended to get you back to normal business operations.

3. Communication

Notification of internal and external players: Don’t delay in communicating with internal departments and external vendors, partners and clients. Do outline a clear chain of communication before breach detection and follow it post-breach. Depending on your industry and state, laws vary with regard to required deadlines to inform those affected by the breach. Following proper procedures carefully and quickly can minimize breach fallout.


  • Contain the breach
  • Assemble the response team
  • Investigate the breach
  • Document the who, what, where, when, why and how of the breach as well as the relevant notification time limits
  • Follow your breach communication procedures including   informing authorities, insurance companies and affected parties

Finally, organizations should be sure to assign ownership of the Incident Response Plan to a network security team leader to ensure it evolves as needed and does not remain a static document.