The Emotional Toll of Incident Response Events

Navigating the 5 Stages of Grief Following an Incident Response Event

Are you a victim of a data breach and are you feeling signs of grief? You’re not alone.

As an incident response professional, I have met many different types of corporate staff, from the IT staff to the C-suite. Unfortunately, it was probably on their worst day ever, and in our world, it’s most likely due to phishing or ransomware.

Many seasoned law enforcement personnel share the same sentiment, especially those that work in homicide. Like these responders, we’re walking into an active crime scene. Emotions are high, those involved are stressed, and they’re having a difficult time wrapping their heads around what happened and why, and more importantly how to resume operations.

While customers are the main victim of security incidents, followed by the enterprise, infosec teams on the front lines are also victims. Feelings of defeat, loss, failure of oversight, and knowing that they can potentially become unemployed as a result are harsh realities teams face, especially when budgeting decisions were made without their input or if the enterprise doesn’t have a business continuity plan in place that is ready to execute.

We know how you feel – it’s a hard pill to swallow when you realize your data has been compromised.

The five stages of grief – denial, anger, bargaining, depression, and acceptance – were developed by Elisabeth Kübler-Ross in a book she published On Death and Dying. The model was used to describe terminally ill people facing death but was quickly adapted as a way of thinking about grief in general. Having guided many customers through data breach events to remediation, we’ve seen the “five stages of grief” model in action.

By knowing the stages and understanding what each stage means for you, you’re already on the road to recovery.

The 5 Stages of Incident Response Grief

Stage 1: Denial

“There’s no way this happened to us.”

“I really can’t believe this.”

These are just a couple of soundbites we’ve heard IR customers express in the early stages. While our job is to acknowledge this ugly truth and sympathize with the situation at hand, there is no time to waste, and we need to act fast.

The fact of the matter is that this threat actor is alive and well, and we need to rip off the Band-Aid and move forward.

Stage 2: Anger

“How could you have let this happen?”

At this stage, reality begins to set in, and folks can become angry. There might be anger toward management for lack of purchases over the last few years due to budgets, or anger toward third parties for mismanagement of the enterprises’ information; aka, finger-pointing.

The reality: we believe this stage to be highly unproductive and the most useless in the entire process. Not only is the business already disrupted, but the issue could become compounded in someone’s effort to seek retribution.

In this scenario, we suggest that our customers take a deep breath, slow down, and focus because you don’t want someone with all the keys to the kingdom to walk out the door.

When you partner with us, we remind everyone that we’re here to do a job together. At this stage, we refocus the conversation around getting past anger as quickly as possible.

Stage 3: Bargaining

Bargaining can take on two different forms. On one hand, staff may bargain internally by thinking, “Maybe if I download this anti-virus software it will fix all of my problems.”

Waving a magic wand is not going to remediate all of your problems. For example, if you are a victim of ransomware, the threat actors have already broken in. In fact, they have been inside your network for at least 24 hours, and in some cases months, if not years. Launching of ransomware is one of the last steps of a data breach; they’ve just been planning their attack and decided to detonate when you least expected it.

On the other hand, bargaining with bad actors to get your business back online is the other side of the coin. Bargaining in relation to ransomware is why entire ecosystems around insurance providers, breach coordinators, and ransomware negotiators exist to help the company try to restore services or find viable avenues to get back in place and get back to business.

In the event your organization falls victim to ransomware, we can’t stress enough the importance of partnering with a team of expert professionals to help you eradicate, restore, and recover any stolen, deleted, or encrypted data. The last thing you want is for the threat actor to dig deeper than it already has, potentially causing you to pay a higher ransom and pose a larger risk to your organization.

With decades of first-hand experience in this arena, DirectDefense will help you navigate and mitigate your ransomware event the right way. Further, we can strategize and consult with you on developing a custom playbook for future defense and protection.

Stage 4: Depression

“I wish we would have handled things differently.

“I’m sorry this happened on our watch.”

Depression usually hits around the 48th to 72nd hour and it’s when it becomes clear that the IT staff is the one that’s going to bear the brunt of the storm, especially if the organization has never prepared a proper business continuity and disaster recovery plan.

At this stage, staff can become emotionally and mentally tired. Productivity declines and doubt sets in. Additionally, people need sleep and food regularly which needs to be accounted for.

The reality: you will get through this. Instead of lingering in the depression stage, we need to continue to tackle our list of priorities in order to get the business back online.

Like the anger stage, this stage can be very unproductive and/or the least productive. The path to remediation can be a long one, but there is light at the end of the tunnel. You just need to keep pushing through to see it.

In due course, they will get through the depression stage and will reach the final phase – acceptance.

Stage 5: Acceptance

“We’ve got a long road ahead of us. How are we going to tackle this?”

“How do we prevent this from never happening again?”

Most, if not every impacted corporation eventually reaches acceptance, and business operations ultimately resume. Coming out of the depression stage to acceptance can be a huge milestone for organizations.

In reality, the quicker you accept the issue at hand, the faster your organization can find solutions and get back to business. By having DirectDefense as your partner in incident response, we keep that goal top of mind.

So, you’ve been here? Well, you’re not alone.

Data breaches have become common events that affect organizations in a multitude of ways. They can cause severe strains on revenue due to productivity damage, lost business during downtime, attorney fees, and remediation costs.

Those repercussions could be even worse if your business powers critical infrastructure. Utilities that are a basic need for human survival such as power, water, and energy could be compromised, and the general population could be negatively affected.

In last year’s Cost of a Data Breach Report put out by IBM, the average total cost of a data breach increased by nearly 10% to $4.24 million, the highest ever recorded. Costs were even higher when remote working was presumed to be a factor in causing the breach, increasing to $4.96 million.

Read More: A Look Ahead at the Security Threats Looming in 2022

How Can DirectDefense Help You Be Better Prepared?

1. Go through a tabletop exercise with our team of experts.

There is nothing that could prepare your team more for a real-life attack than a simulated event. DirectDefense offers simulated real-world cyber and physical security indent scenarios to leadership and staff on breach detection and tests your organization’s response and readiness plan.

2. Map out a business recovery and continuity plan and keep a backup accessible.

A functional business continuity and disaster recovery plan is critical for organizations of all sizes. Having a plan ready to execute in the event of a breach will allow you to spend less time worrying and more time getting back to business as usual. This plan can even be built directly into the design of your backup process so that in the event you are not able to execute, a colleague on your team can manage the data storage and backup the right way.

3. Sign up for a penetration test.

Using various tools and techniques, our team of consultants examines external and internet-accessible systems and internally-accessible systems for patching, system and service configuration, and authentication vulnerabilities. Through a penetration test, we can gather information to understand where threats lie within your organization and offer a remediation roadmap with strategic recommendations to aid in resolving systemic issues moving forward. Additionally, we can measure the effectiveness of your solutions and the quality of the security visibility of your SOC.

4. Become a Managed Detection and Response client.

Whether you have a laundry list of security needs or are unsure where to begin, our (MDR) program takes care of everything. As a MDR client, you gain DirectDefense as an extension of your team, working with you to protect you from attackers.

Don’t Be a Victim of Data Breach Grief – Let Us Help You Be Prepared

Simply put, we’re here to help you get through your breach incident, whether it’s due to ransomware, phishing, malware, password guessing, or stolen information, and acknowledging the five stages before it’s time to respond to an incident will put your organization ahead of the game.

Don’t become a victim of data breach grief. Let’s discuss your organization’s pain points and how DirectDefense can help you be on the offensive and on the defensive with our Managed Detection & Response program plans. Contact us today!