The threat of attacks is growing. Leaders need to be ready to respond when the worst happens, says Réne-Sylvain Bédard
What happens when the cybersecurity warning lights for your business, your division or your department start flashing red? Does your executive team know how to react? Have plans been rehearsed? Or are you convinced that someone else is supposed to take the lead?
The chilling truth is that cyberincidents are increasingly common – and increasingly expensive. IBM calculates the global average cost of a data breach in 2024 to be a whopping $4.9 million – a 10% increase on the year before. The risks are too big to leave everything to the tech team or cybersecurity specialists. Executives need to understand the threat – and, more to the point, need to start building muscle memory about how they would respond in the event of an incident. Here’s how.
Your response plan: a recovery checklist
Having a plan starts with doing your homework: it demands that you have surveyed your data, that you have it classified, and that you know which services or systems depend on its availability. This is crucial for optimizing your response and recovery.At a basic level, leaders should have to hand information addressing several factors ahead of any breach.
- A list of all critical parties involved in your response plan, their contact details – and their confirmation of involvement in the response plan
- Necessary IT technology, disconnected from your main systems
- A step-by-step plan of action
- Uncorrupted copies of all company data – such as air-gapped digital copies, or even printed copies if feasible
- Funds set aside for activating the response
When a full cyberattack occurs, you will want to notify everyone right away – not in two weeks when your systems start to return to life. You will need a war room, with people physically present, making phone calls and communicating with everyone affected. And no, you won’t necessarily have access to this or that system, and all the associated data those systems hold – which is why paper records should be considered. That may seem awkward in this day and age – but if it is digital, there is a risk of attack.
Consider Aflac, the American insurance company, which was targeted by cybercriminals in June 2025. It reported that the intrusion on its networks was contained within hours; but what if the company had simultaneously been subject to a ransomware attack? Millions of customer records could have been stolen. Without access to core systems, how could the company have notified its customers? How could they protect customers from having their identity stolen?
In today’s connected world, it is easy for disaster to turn into a human catastrophe.
Building muscle memory
The idea of muscle memory is less about learning a movement than about training muscles through repetition so they can respond automatically.
Let’s apply this to incident response. It means practicing the plan and fine-tune it – not just once but a lot, especially when it is new. This could mean monthly rehearsals for the first year of a plan, falling to every second month, then every quarter. Ensure that your management team is committed to providing the necessary support when defining and implementing the plan.
This isn’t to say that organizations should do a complete restore of their data once a month – that would be a massive undertaking. What’s key is repeating the steps involved. Are you able to find your backups? Are they still available if the entire building has gone down, or if all your servers have been compromised? What do you need to restore them – and most importantly, do you have access?
Consider carefully who is responsible for each step in the recovery plan. You will not want your technical teams to be calling the shots, making critical decisions on their own about how to voice sensitive issues to the public, or about which customers to prioritize. Neither should your technical team choose which law firm, insurance or breach coach to work with. They will not be the ones breaking the news to your board and investors, or thinking about how to ensure that your stock does not plunge after the announcement of an incident. Leadership remains incumbent on organizational leaders – which is why you must be ready.
Strategic investment
These activities will involve multiple employees within your company; the costs will add up. However, these should be viewed as investments. Consider them as levers to support your growth: they are not so much about defending what you have, as about building your capability to reliably respond in the case of a cyberincident. They show your partners and customers that you are serious about their data and that you care about cybersecurity.
This in turn can enable the business to sign more strategic partnerships and customers. Investment in cybersecurity is a way of purchasing the most important of all assets: trust.
From fear into awareness
Most fear comes from a lack of knowledge or a lack of control in a given situation. The unknown is a very uncomfortable place for most people – which means a cyberattack is, for many executives, a perfect storm. It strikes in a blind spot, where they have limited knowledge – and where they suddenly discover they have very little control. That is why drills are needed: so that knowledge is built and a plan can be refined. This process brings back some control; you will know how to bring your company back to life. There is a roadmap.
Building awareness means that when an attack happens, you are not a victim. Rather, with a team around you, a plan, and well-developed muscle memory, you can say to the attacker: not today.
