Every security professional dreads “The Phone Call.” The one at 2 a.m. where the tired voice of a security analyst on the other end of the line shares information that is soon drowned out by your heart thumping in your ears. Your mind races. There are so many things to do, so many people to contact. You jump out of bed. For a moment, you stare into the mirror longing for yesterday — when your network hadn’t been breached.

In our world of incident response, The Phone Call happens often. It may not be at 2 a.m., if you’re lucky. And if you’re unlucky, it’s not a security analyst, but rather your favorite federal law enforcement agency on the other end of the phone.

It is an emotional time when a potential existential crisis threatens your business, your company’s reputation and your career. Like when we experience other great losses in our lives, the loss of your network can leave you with a real sense of grieving. You can expect to feel the five stages of grief in much the same way Elisabeth Kübler-Ross explains them in her famous book, “On Death and Dying.” While a breach cannot compare in severity to what we experience in our personal lives, we can learn from Kübler-Ross’s descriptions of denial, anger, bargaining, depression and acceptance to manage an extremely stressful event.  

In 2018, CrowdStrike’s Mark Goudie wrote about how he had seen these emotions in his customers throughout his career as an incident responder. Since then, the world has dealt with the explosion of ransomware, supply chain attacks creating risk for hundreds of thousands of customers, and a Java vulnerability that threatened the internet. Here we revisit Mark’s reflections on data breach grief and pair them with practical advice on how to cope. This is your guide on what to expect and how to best get through your incident from the “grief counselor” of the security industry: your incident response firm.

Denial

“There’s no way this problem is as bad as my security team says it is.”

Denial sets in at the very beginning when you’re simply trying to survive what happened, and, as Kübler-Ross writes, the world around you becomes “meaningless and overwhelming.” For some, it’s believing that the incident is a false positive or maybe mistaken legitimate activity. A good security leader drives their team to get to the ground truth. Swiftly conquering denial is critical to effectively executing your incident response plan in times of crisis. Denial wastes necessary time, delaying recovery.

Anger

“I want them arrested!” 

Now is not the time to push for action against the offender. This will come later as you’ve collected all of the information you can while investigating the breach.

Being angry at your team isn’t going to solve the issue, either. Evaluating negligence will be important after the business is secure and operating normally. But derailing vital efforts to resume business operations to chastise personnel will only cause a schism in the rest of the team working the issue and will reflect negatively upon you during the aftermath when personnel decisions will be made.

Stay focused instead. Maintain a task-oriented approach with the information available. Push individuals to identify answers. Don’t belittle them to the point of ineffectiveness or you won’t succeed in solving the problem.  

Bargaining

“What will it take for this to go away? I’ll do anything.” “If only we had done x, y, z.”

We know you want to return your network to the way it was before. No amount of negotiation is going to change the situation. But you have an amazing opportunity! Document the “if onlys.” That’s a great roadmap to what the organization needs to improve upon after an incident. One word of caution: Don’t get hung up on the “if onlys” while you’re still actively investigating and recovering from the incident. You need that energy for the response activity, and bargaining can become a distraction. Quickly document what could be done better and save it for when you have time for a full postmortem.

Depression

“We’re going out of business.” “Our reputation is ruined.” “This will never end…”

Once the full gravity of the situation settles in, a sadness can begin to overwhelm you. The many consequences of a single breach will begin to unravel before you: real impact to your customers’ lives and livelihoods, fear for your own position and guilt over what happened. Lean on your colleagues, mentors, peers and significant others to help you through the emotional trauma of your network being breached. You will get through it, and you will recover.

Acceptance

“This is never happening again.”

Don’t get acceptance confused with being okay, as this isn’t the case. This is about understanding and living with the knowledge of the situation and what it means. You’ll never forget you were breached, but by accepting it, you and your organization will be better suited to reduce the likelihood that it will happen again. This is the mindset you need in order to best accomplish the recommendations offered in the next section. 

How to Accelerate the Grieving Process

As Kübler-Ross wrote, it’s important to experience these stages of grief. By knowing about these stages and possible experiences, coping mechanisms can be developed quickly to move you and your organization through the process. Other methods, highlighted below, can give you further leverage in accelerating through the stages.

Leverage Incident Response Service Providers

You’re not the first organization to have experienced a breach. Due to this unfortunate circumstance, the cybersecurity service industry has blossomed, with seasoned technology and consulting companies that deal with similar issues that you’re currently experiencing on a daily basis. Use the inherent knowledge in those organizations to your benefit. They can show you what the finish line looks like in this marathon and the strategy to get you there.

Practice Your Breach Response

Conduct tabletop and live-fire exercises to allow your teams to experience a breach in a safe environment. An annual tabletop exercise cements your incident response plan, exposes gaps in response processes and defenses, and, most importantly, best prepares you to respond effectively and efficiently — even through the five stages of grief.

Know Your Legal and Regulatory Reporting Requirements

Many legal firms now carry a digital security practice, with teams familiar with legal and contractual obligations due to a breach. Discuss partnering with a firm before the inevitable breach occurs. You can have a law firm specializing in cybersecurity on retainer to guide you through everything from preserving privilege during an investigation to reviewing external communications. 

Carry an Insurance Policy and Review It Annually

Just like drivers have car insurance, cyber liability insurance can provide protection for your business’s digital assets and keep you focused on defensible practices. Also, understand which cybersecurity consulting companies work with your particular insurance carrier, and allow that to aid your decision on which security vendor you’d like to partner with. This will allow for a cohesive ecosystem of proactive, reactive and recovery services your organization can leverage and benefit from. 

Hire a Crisis Communication Firm

When in the fight and moving through these stages, it may seem daunting to come up with communication strategies to your customers, partners, shareholders, the media and regulatory bodies. Crisis communication firms are there to help with exactly that.

Conduct a Postmortem

The investigation should have identified all of the factors that contributed to the root cause of the breach. All of the gaps within your people, processes and technologies should be identified. Conduct a postmortem review and implement strategies to address those gaps.

After you’ve implemented those changes, make sure they are effective by putting them to the test, via Red Team or Adversary Emulation, before the next bad guy does. You can also evaluate your progress through proactive security reviews, such as Cybersecurity Maturity Assessments and Security Operations Center Assessments. 

Conclusion

You are likely to experience the five stages of grief when faced with a serious cybersecurity incident. How you react will directly influence your team’s success in responding to the incident. As you cycle through the stages of grief, remember how you can respond to reach recovery faster: overcome denial, avoid anger, don’t be distracted by bargaining, lean on others during depression, and finally use acceptance to establish clarity of purpose in resolving the breach.  

Additional Resources

• Learn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your organization, workers and data, wherever they are located.
• Visit our Industry Recognition and Technology Validation webpage to see what industry analysts are saying about CrowdStrike and the Falcon platform. 
• Get a full-featured free trial of CrowdStrike Falcon® Prevent™ and see for yourself how true next-gen AV performs against today’s most sophisticated threats.