Executive summary

With a nod to Tom Clancy, cyberattacks are a clear and present danger for every organization. Over one recent 12-month period, we logged more than 245,000 Distributed Denial of Service (DDoS) alerts across AT&T's global data network. More than 60% of businesses we surveyed had an IT security breach in 2015, and 42% of those organizations said a breach had a significant negative impact on the business.3

Organizations of all sizes and types face a growing variety of threats, from traditional brute-force DDoS attacks to more concealed — and usually more damaging — ransomware.

Most organizations have invested in a variety of tools, processes, and personnel to help protect sensitive systems and data against these threats. But given the sheer volume of attacks, it's highly likely that one or more will penetrate your defenses. This is why, in addition to threat prevention and detection, you must invest in a comprehensive incident response plan.

The first 24 hours

  • Activate your incident response plan
  • Remove or isolate the infection
  • Assess legal implications
  • Determine root cause
  • Define critical business impact

Successful incident response programs begin well before a breach occurs, and should be built as part of a broader business continuity strategy. Along with the tools and systems required to identify and respond to breaches, an incident response program requires two core components:

A cross-functional team. Because of the business implications of a successful cyberattack, post-breach response is often an all-hands-on-deck affair involving the C-suite, IT, security, legal, communications, and other teams across the organization. AT&T and other service and technology partners also play a role, as do law enforcement agencies, regulators, and, of course, customers.

Frequent testing. Just as your organization holds regular crisis management exercises for various scenarios, an incident response plan must be regularly tested so that all involved parties are crystal clear about their respective roles and responsibilities. These roles must be reinforced through regular tabletop testing and other simulations. The goal is to eliminate the guesswork and uncertainty that can arise in a potentially chaotic situation.

This up-front work will let you respond quickly after a successful attack. The first 24 hours are obviously critical to contain the breach and limit its impact. This is where forensic investigation comes into play. Not only is it needed to discern the nature and extent of the breach, forensics is instrumental in containing the incident.

If the breach requires public disclosure, you'll also need to soothe the concerns of customers, address media queries, and meet with regulators and law enforcement — activities that can linger for months, depending on the scope of the breach.

Let's be clear: Incident response can make or break your business. Some companies have tallied losses in the tens and even hundreds of millions of dollars after suffering severe breaches. In those cases, the CEO, CIO, or other executives may ultimately take the fall. This report, based on our internal practices, our Global Cybersecurity Readiness survey, and the work we’ve done with customers, is intended to help you avoid that doomsday scenario.