View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 24, 2016

Cyber breaches – read the CEO playbook on how to respond

There are few if any silver linings when you get breached but having a playbook can stop the worst from happening

By Sam

AT&T published a cyber breach response playbook for CEOs.

In a comprehensive top level guide it touches on response team structures, different company types from passive to progressive, immediate actions and how to communicate.

We’ve extracted some findings:

The report says: Most organizations have invested in a variety of tools, processes, and personnel to help protect sensitive systems and data against these threats. But given the sheer volume of attacks, it’s highly likely that one or more will penetrate your defenses. This is why, in addition to threat prevention and detection, you must invest in a comprehensive incident response plan.

A cross-functional team. Because of the business implications of a successful cyberattack, post-breach response is often an all-hands-on-deck affair involving the C-suite, IT, security, legal, communications, and other teams across the organization. AT&T and other service and technology partners also play a role, as do law enforcement agencies, regulators, and, of course, customers.

att-incident-response-pic3Let’s be clear: Incident response can make or break your business. Some companies have tallied losses in the tens and even hundreds of millions of dollars after suffering severe breaches. In those cases, the CEO, CIO, or other executives may ultimately take the fall. This report, based on our internal practices, our Global Cybersecurity Readiness survey, and the work we’ve done with customers, is intended to help you avoid that doomsday scenario.

Next: The AT&T/IDC Global Cybersecurity Readiness survey identifies four levels of security preparedness:

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

What are the four levels of preparedness (different types of company)

Progressive. This is the highest level of security readiness, in which C-level executives pay close attention to security and invest in a holistic, comprehensive prevention and response strategy.

Proactive.Companies with above-average levels of security readiness realize the importance of IT security and have put in place basic steps to avoid breaches.

att-incident-response-pic1Reactive. At companies with below average levels of security readiness, C-level executives pay moderate-to-little attention to security while delegating security expertise and day-to-day management to IT.

Passive. The least-prepared organizations are run by executives who take a hands off stance. They tend to be unaware of most breaches and reactive in response to breaches they do detect.


Next: What do progressive companies look like

What do progressive companies look like?

Pragmatic: C-level executives at progressive companies understand they are targets of breaches. That mindset enables them to take a more pragmatic approach to incident planning and response. For example, many progressive companies use technologies to sharply reduce the value of compromised data to hackers.

Comprehensive: Progressive companies are more likely to focus as much on readiness assessments and diagnosis planning as they do on post-breach diagnosis and response (74% for progressive organizations versus 16% of passive companies).

att-incident-response-playbook2No two cyber attacks or data breaches are identical, nor are the ways in which companies first become aware that something’s wrong. Small attacks or probes may be automatically detected and countered, or quickly contained by a company’s security team. The seriousness of a breach may be immediately apparent, or its scope and damage may only emerge over time. But whether a major breach is only suspected or actually confirmed, the company’s incident response plan comes into play.

Next: Proper, correct, timely communication is vital..


In the wake of the massive Sony hack in November 2014, Sony made several missteps in its public communications. Initially, the company released a vague statement about investigating an “IT matter,” then characterized the breach as a “system disruption.”

As the hackers leaked more and more information, executives were put on the defensive about the sensitive content being released. Sony’s outside counsel sent cease-and-desist letters to the media in an attempt to keep them from publishing the leaked documents — a tactic that was viewed as desperate and defensive. In an attempt to contain its scope, Sony took far too long to acknowledge the breach and focus on how it was fixing the problem. One overriding communications strategy is to focus less on the damage to your company and more on the steps you’re taking to protect your customers.

Activate your incident response plan

  • Remove or isolate the infection
  • Assess legal implications
  • Determine root cause
  • Define critical business impact

Read the full playbook


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.