INCIDENT RESPONSE PLAN – “WHAT IF”

by
incident response

The New Year is a good time to review your business – we have been doing that and one of the things we reviewed was our Incident Response Plan. Of course, we have made some changes – otherwise I would not be writing this article, but we will get to those later.

“What If”

I spend a lot of time with clients talking about the “what ifs”. Usually it means singling someone out in the room and accusing them of opening a phishing email, stealing company secret information, repeating a password in a coffee shop or some other cyber security “no, no” (I always talk to them first and explain what I am going to do) and then playing out the scenario around the table to illustrate the point I need to get over.

This is how we test our Incident Response Plan.

Our Incident Response Plan

It is not a static document. We review it regularly – it is in my calendar every three months to do more than just read it. I also like to role-play the plan, I am not so sure my team like it when I spring a surprise incident response test on them:

Incident Response Training I think I have a computer virus…

Here is the response from our Operations Manager:

Incident Response – Talk about bad timing!

This style of training does work.

Global Administrator Accounts

That brings us to the main point of this article. As part of our New Year testing and sitting around playing “what if” on Teams with coffee, we found an issue with our plan. We created a very real scenario where we lost access to our very secure Microsoft 365 Global Administrator account – something that no organisation wants to happen. The solution was not hard to work out. A few revisions to our Incident Response Plan and the Business Continuity Plan and some setup and now we have covered that possibility and risk.

The Answer

We will be sharing the answer with our cyber security clients – as they also benefit from our “what if” games. We do not share this type of information in public as it would be of use to a threat actor. For now, you should at least test your own Incident Response Plan. Of course, if you think we could help with that, then this is a good time to contact us.

If you do not have an Incident Response Plan, then January 2025 is a good time to start one.

Happy New year.


Clive Catton MSc (Cyber Security) – by-line and other articles

Further Reading

Practice Drinking Coffee* better known as Planning and Preparation

Bring Your Own Device (BYOD) – A Primer

Photo by Timi Keszthelyi

Contact us for consultation

Wake up to cyber threats..

INCIDENT RESPONSE PLAN – “WHAT IF” Cyber Awake
HQ Based between Newark and Lincoln

Get in touch

CyberAwake
Unit 2 Kingsley Court
Kingsley Road
Lincoln
LN6 3TA
United Kingdom

01522 508089

useful links

Website Cookies Icon

This website uses cookies to ensure you get the best experience on our website. Click for more information.

accept & Close