What To Do In A Cyber Crisis

by | Jan 24, 2022 | Guest writers

John Noble CBE is an advisor to Glasswall and non-executive director at NHS Digital, where he is responsible for overseeing cyber security and information assurance. Here, he shares insight and advice on how organizations should react when faced with a cybersecurity crisis.

Like many forms of crisis management, mitigating the impact of a cybersecurity attack and recovering to business as usual is not just about reacting to events – it’s a process that always benefits from effective forward planning and preventative strategies.

Consider ransomware, for example, one of the most common forms of cybercrime with the potential to be hugely disruptive. All too often, organizations find they have no alternative other than to pay the ransomware demand because their data has been encrypted, they have also lost their backup, data has been stolen and there is massive commercial pressure to recover. If the only other option is a prolonged period of downtime while systems are rebuilt, leaders frequently take the path of least resistance and cave in to the demands being made.

Countering the risk of ransomware, however, means organizations should take some key steps in advance so they aren’t put in an impossible position. These include activities such as ensuring software patching is up to date, addressing the serious security shortcomings of untrustworthy legacy infrastructure and making sure staff are trained to identify and report potential phishing emails.

Minimizing the risk of becoming a victim also requires taking additional steps such as protecting privileged accounts, implementing multi-factor authentication and disabling or constraining scripting environments such as remote desktop protocol. These represent a list of minimum requirements for any organization taking the current risks seriously.

Effective preparation also requires detailed forward planning that focuses on addressing a crisis quickly and effectively. Key steps include:

  • Implementing offline backup that is genuinely secure.
  • And then ideally, practice recovering from backup. For some organizations, this has the potential to be hazardous to existing operations, so the alternative is to conduct a  discussion with IT partners and suppliers to ensure there is access to expertise and resources to implement a backup should it be necessary.
  • There should also be well-rehearsed incident management and business continuity plans in place to address the consequences of an attack on key operational functions.
  • And depending on the nature of each business and its resources, leadership teams are increasingly putting assistance from an incident response company on permanent standby.

What Bad Practice Looks Like

 Turning now to dealing with an incident, organisations that struggle to deal with incidents such as a ransomware attack tend to share some common traits. For example, executive teams should not make the mistake of assuming a cybersecurity breach is a technology problem that falls solely on the shoulders of the CISO.

 Yes, the CISO has a vital role in tackling the tech problem and helping the organization to recover, but there’s more to it than this. The responsibility for dealing with and mitigating the impact of a serious breach goes right across the whole management team – from legal and reporting and statutory requirements to business operations, customers and just about every function where technology has any role.

 Quick and decisive implementation of mitigation and recovery plans (if they exist) is also vital. What can happen, however, is that teams resort to optimism bias, rather than assuming the worst case. The negative impact of this often becomes apparent when in-house staff are soon overwhelmed with the tremendous pressure of dealing with the scale of an attack. This can be the point where companies often turn to external, specialist support and incident response – while this is important, it’s always better to involve experts in advance planning rather than in an emergency. 

 What Good Practice Looks Like

In contrast, an effective mitigation and recovery process always begins by ensuring someone is clearly in charge and armed with the authority of the CEO to make decisions across the organization.

There should be an incident response structure in place that has buy-in from senior management. These decision-makers might not be technical experts, so should be provided with all the key information they need in an understandable format. This shouldn’t be seen as ‘dumbing down’, but rather is a process to ensure they are given insight and detail in a way they can use to make effective, fully informed decisions.

Best practice must be supported by clear and effective internal and external communication, based on a core script that is updated as new information becomes available. Each piece of communication needs to be geared to the recipient but the underlying message must be consistent, including a plan for stakeholder management.

Decisions about whether to seek specialist, external help should be made early on in the process, especially before in-house teams become exhausted by the effort required to address the crisis. Organizations often assume these services will be prohibitively expensive, but in reality, business costs can be significantly higher than the bill from a specialist advisor. The need for external support in advance of an attack should have been identified and commercial arrangements put in place well before any incident.

Preparing for something that might never happen can seem like an unnecessary overhead, compared to the range of daily priorities every organization encounters. However, faced with a crippling ransomware attack, those dealing with it will almost always talk about how much pressure it puts them under, and teams that have prepared in advance are, without exception, always very glad they did.



What are file-based threats?

What is zero-trust file protection?

How does Glasswall CDR work?

Picture of a knight mask with swords to illustrate our battle for being the market leader in CDR

Glasswall vs Competitors

Why Glasswall CDR?

Learn about the simple way to protect against sophisticated file-based threats.

All resources



Case Studies

Use Cases




Product help



Contact us


strategic alliances

About our Partner Program

Our Partners

Become a Partner

Glasswall partner program

Bringing File-based threat protection to your customers

Offer a richer security portfolio with the most agile CDR platform on the market. Stand out from the competition with a partner program built for you. Let’s make files safer together.

About Glasswall

Our People




Contact Us

support lines


Raising the bar on file security

We believe people should be free to open their files without fear. To click on anything without risk of catastrophe. To use systems the way they were meant to be used. That’s why we’re raising the bar on file security at Glasswall.