February 3, 2020

How to move on from a cybersecurity incident

Shane Schick

Cybersecurity incidents can cost people their jobs. Organizations can lose customers as their share price tanks. Customers’ personal and confidential information can be put at risk. And when the incident has finally been contained, there’s still a lot that happens before it’s in the rearview mirror.

A solid incident response plan begins with defining the scope of the threat, gathering data, assigning roles and beginning the remediation process. But incident response plans are about more than prevention. Make sure you don’t ignore these aspects.


Incident reporting

No company wants to have a press conference in the midst of a cyberattack, but they should be ready to inform third parties appropriately. This may include law enforcement, customers and even the media.

Rizwan Jan, chief information officer (CIO) of the Henry M. Jackson Foundation for the Advancement of Military Medicine, says this is where your incident reporting (IR) team needs to be extra clear about its roles and responsibilities.

“There can be a lot of speculation, and that speculation is often misinformation,” Jan cautions. “Your CIO should not be talking to the press about a data breach. If the situation were reversed, you wouldn’t want a PR person tinkering around with security tools.”

Of course, senior leaders need to be informed and consulted too, but they’re often on a plane or locked up in a meeting while an incident unfolds. Jan recommends CEOs deputize someone to handle crisis management questions — a second-in-command who can make decisions. This should be woven into the incident response plan as well.

“You always want to avoid a single point of failure,” Jan says, referring not just to IT but to response team collaboration. “You need to have a path B, C and D.”

Implementing best practices

Even the best-laid incident response plans will fail if they’re not tested with regular drills. And the nature of cyber incidents is constantly changing, which makes it even more important to ensure the plan aligns with organizational needs.

A study conducted by the Ponemon Institute earlier this year shows that 54 percent of those who have an incident response plan don’t test it. So, there may be a gap between how an organization expects it can deal with a data breach and what actually ends up transpiring.

Jan says the best way to overcome this problem is to get proper executive buy-in from the very beginning. Gather industry research about data threats in your particular industry, or highlight news coverage of competitors who’ve been hit by an attack.

“It’s a good thing to show those statistics to management to get their incident response antenna up to all the threats that are out there,” Jan explains. “That’s when your message will get out to the rest of the organization and security becomes more ingrained in your culture.”

Strengthening mobile security

The annual SANS Incident Response Survey looks at trends in how organizations handle these issues. The 2019 report showed the difference automation is making: For example, only 35 percent of those surveyed in 2019 said they manually blocked command-and-control (C2) IP addresses, compared with nearly 46 percent in 2018.

So how does a threat landscape that’s growing through the use of mobile devices change a company’s approach to incident response?

Jan looks for three things in an enterprise mobility management (EMM) solution: how well it integrates in an organization’s existing technology stack, what kind of visibility it offers into cyberthreats and what control it gives in terms of fine-tuning rules and configuration. And don’t overlook conducting a post-mortem — not a meeting filled with finger-pointing, but a genuine, constructive look at where you should optimize your incident response plan.

“We should be in the spirit of ever improving our business processes,” Jan advises. “Tie into metrics like mean time to detecting and resolving an incident. And map those metrics into industry standards. That way, you have some teeth to it, and if you have auditors come in, you’ll have a story to tell about why you’re doing what you’re doing. You will fail if you whip up [an incident response plan] out of nowhere and don’t have anything to back it up.”

Samsung Knox fills the gaps

Not all cyber incidents involve mobile devices, but for those that do, an important part of the remediation process is looking at the extent to which data on a smartphone, for instance, connects back to the network. This is obviously much easier if you already have an EMM solution in place, as the solution can help you quickly identify which devices need to be addressed and even consider future points of vulnerability.

Samsung’s Knox platform and supporting services can be a linchpin in helping organizations bring their IR plan together, offering the ability to configure, monitor and secure mobile devices against a wide range of cyber threats.

To learn more about building an incident response plan for your business, download our free whitepaper.


[Icon] close

Get the right solution for your business

Join 25,000+ organizations around the world.

[Icon] suitcase
Are you a reseller or solution partner?

Get access to the Knox Partner Program for helpful partner tools, such as the Knox Deployment Program portal, Knox MSP portal, partner SDKs, and more.

[Icon] info
Unified Endpoint Management
Knox Suite
Rebranding and customization
Knox Configure
Fraud and theft protection
Knox Guard
Device protection plan
Samsung Care + for Business
Other products & services

Get started with

[Image] Knox Suite

All-in-one solution bundle for enterprise mobility.

[Icon] Check mark

Join us and get a 90-day free trial for Knox Suite and other Knox products. *Approval required

[Icon] Check mark

A complete set of tools to secure, deploy, manage, and analyze your enterprise's corporate mobile devices.

[Icon] Check mark

Try powerful features bundled with Knox Suite, such as Knox Remote Support.

Knox Suite include:

[Icon] Knox Platform for Enterprise Knox Platform for Enterprise
[Icon] Knox E-FOTA Knox E-FOTA
[Icon] Knox Mobile Enrollment Knox Mobile Enrollment
[Icon] Knox Asset Intelligence Knox Asset Intelligence
[Icon] knox manage Knox Manage
[Icon] knox capture Knox Capture

Get started with

[Image] Knox Configure Logo

Remotely configure Samsung devices in bulk and tailor them to specific needs, right out of the box.

[Icon] Check mark

After approval, you can try both the:

  • Setup edition — designed for a one-time deployment
  • Dynamic edition — deploy and update policies as many times without a factory reset.
[Icon] Check mark

Try either the Setup edition or Dynamic edition of Knox Configure on up to 30 devices.

[Icon] Check mark

Get a free Knox Suite trial upon approval to try our UEM.

Get started with

[Icon] Knox Guard Logo

Remotely control Samsung devices to reduce financial risks and protect assets.

[Icon] Check mark

After you get approved, generate your free trial license for 90 days.


Try all the features of Knox Guard on up to 30 devices, including SIM control and device locking.

[Icon] Check mark

Get a free Knox Suite trial upon approval to try our UEM.

Get started with

[Image] Samsung Care Plus For Business Logo

Protect your business devices against accidental damage and mechanical breakdowns.

[Icon] Check mark

Are you already a Samsung Care+ for Business customer? Create an account and access the Samsung Care+ for Business console.

[Icon] Check mark

Contact the Samsung sales team and get peace of mind for your devices.

Other products & services

[Image] Others logo
[Icon] Check mark

Samsung offers additional solutions to serve the unique needs of your business. Talk to a Samsung expert today.

Back to top