Incident Readiness: Why the First 60 Minutes Decide

When a cyber attack is underway, it is not technology alone that decides, but preparation. Those who have clarified roles, procedures and decision paths in advance limit the damage — those who improvise lose precious time.

In most incidents we support, the attack itself is not the real problem — the response to it is. The first 60 minutes often determine whether a limited incident becomes a full-blown crisis. In this window, decisions are made that can hardly be corrected later.

The most expensive reflex: shutting down too soon

The instinctive reaction of many teams is to immediately take affected systems off the network or shut them down. Understandable — but risky. An uncoordinated shutdown can destroy volatile traces in memory that would be crucial for the investigation, and in the worst case trigger mechanisms set by the attacker.

Instead, the rule is: isolate rather than destroy. Systems are disconnected from the network in a controlled way, without destroying evidence. This distinction sounds small, but it often decides whether the case can be solved later.

What you should clarify before an emergency

• Who decides during an incident — and who is their deputy?
• Which systems are business-critical and must be protected first?
• How do you reach your incident-response partner outside business hours?
• Where are your backups — and when were they last tested for recoverability?
• Who communicates internally and externally, and through which channels?

Readiness is not a document, but a reflex

An emergency plan in a drawer helps little if no one knows it when it matters. Effective readiness comes from rehearsed procedures: clear roles, coordinated playbooks and regular exercises. Ideally, every move is right before it is needed.

This is exactly where our approach starts: we don’t just prepare organizations on paper, but rehearse the response under realistic conditions — so that in an emergency decisions are made quickly and correctly.