When Dealing with Cyber Incidents, Speed Is Key

When it comes to a highly disruptive cyber attack—one that renders mobile, remote, and hybrid endpoint devices inoperable—time has become a critical factor.

Most incidents that fall into that category result in three to six days of operational downtime and cost the company between $1 million and $2 million. Those are findings from cybersecurity firm Absolute’s survey of more than 750 chief information security officers (CISOs) in the United States and United Kingdom, and published in the report, The State of Enterprise Resilience. A total of 55 percent of the CISOs who took the survey had experienced a cyber attack that caused a significant disruption.

“Not a single CISO reported being able to fully recover from a disruptive cybersecurity incident within a day,” the report said. “This level of downtime has far-reaching consequences — every minute impacts operations and revenue, erodes trust, and disrupts critical services. …The ability to recover quickly is the new benchmark for security success.”

In addition, there is a stark disconnect between CISO expectations and what they think company executives and boards expect. When asked if their organization is likely to experience a cyber attack that would result in significant downtime, more than half said yes (53 percent) and roughly a quarter said no (23 percent), with the rest falling the middle.

However, 61 percent of CISOs say their top leadership expects that cybersecurity investments the company has made will guarantee zero breaches or ransomware incidents. (Twenty percent said top leaders did not have such an expectation and 19 percent fell in the middle.)

“CISOs and savvy executive leaders know cyberattacks, data breaches, ransomware, and other forms of compromise and failure are inevitable,” the report said. “They are also aware that strategies and solutions proven to quickly resolve incidents and reduce downtime are readily available.”

To that end, planning for the inevitable successful attack is vital. So says Coleman Wolf, CPP, CISSP, senior technical security consultant and studio leader at Stantec.

“To facilitate recovery it is important to have good system documentation and plans already in place,” Wolf says. “It is hard to have plans in place to cover all eventualities, but even if these are not 100 percent complete or perfect, it will provide a good guidepost for the recovery process.”

The documentation should include anything that can help identify the organization’s IT systems and how they are configured, he says. This can include system architecture, network diagrams, component inventory lists, component details (such as hardware model, operating system, firmware version, and similar attributes), and how those components are configured.

“Plans should include not only step-by-step procedures to recover systems,” Wolf says, “but should also include a list of resources needed, any points-of-contact needed, and communication plans, to communicate with employees, clients, customers, contractors, management, legal, insurance, media, and others. Vendor service agreements should be established to define recovery plans and requirements.”

ASIS has a certificate course, Essentials of Convergence: Bridging the Gap Between Physical Security and Cybersecurity, that explains the fundamentals of physical and cyber philosophies and concepts and describes how they can work together for a holistic security solution.

In addition, Security Management has had two recent article packages on cybersecurity: one on convergence in critical infrastructure (July 2024) and a Security Technology focused on cyber identity management (October 2025).