John Bruce, CEO and co-founder, Resilient, an IBM Company
John Bruce, CEO and co-founder, Resilient, an IBM Company

With the rising number of high-profile breaches in the headlines, organisations are realising that IR needs to be a critical priority. 

For enterprises, this is often about streamlining processes – consolidating threat data from multiple sources, and automating wherever possible. But what of mid-sized organisations? With less complex systems and far fewer resources, the mid-market faces a set of challenges all of its own to improve its response capabilities.

And attackers don't discriminate. A mid-sized organisation is just as likely a target as an enterprise, and has just as much at stake to lose. In fact, in the US, attacks on mid-sized organisations rose a staggering 64 percent year on year –leading to an estimated average financial loss of US$ 1.8 million (£1.2 million) per company, according to data from PwC.

But there is work to be done in achieving true resilience – according to a study from the Ponemon Institute, only 29 percent of UK organisations rate their cyber-resilience as high, with only 36 percent confident in their ability to recover from a cyber-attack at all.

With that in mind – what incident response capabilities should mid-sized organisations have?

Playbooks in place

When asked “what best describes your cyber-security incident response plan?” a shocking 43 percent of UK organisations said they didn't have one.[1] Step one for mid-sized organisations is to put action plans in place. From malware, to DDoS, to lost devices, organisations should have a playbook for every likely threat – certainly the most common – outlining the particular response procedure for every incident. 

Action plans, often called 'playbooks' should be mapped to organisations' standard operating procedures – working with the framework in place to ensure an incident is handled quickly and decisively. The result will be an orchestrated process that allows security resources to work faster. Even if it's left to one individual to cope, having a well thought out and actionable playbook avoids panic or errors. 

Where the effect of an incident isn't limited to the IT department, creating the channels for organisation-wide collaboration is key. Should an incident happen, any potential stakeholder in an organisation, such as IT, legal, marketing, HR, and the executive team, should have defined roles in the playbook, to act quickly and decisively when an incident occurs.

Tracking and reporting

With playbooks in place, once an incident is identified and run through the playbook, it is important that organisations track and report on the process. Feedback from the last incident should feed the response plan for the next; incident response is about continual improvement and optimisation. 

To aid this, comprehensive and standardised reporting is a must – not only to serve the continual improvement process, but also to meet disclosure and reporting requirements of an organisation's industry and geography. In Europe, this will soon mean complying with the General Data Protection Regulation (GDPR). Organisations need to be well informed on what will be required of them should they be hit by a breach, to avoid a hefty fine on top of the damage of the breach itself.


Most vitally, organisations need to be prepared ahead of an incident taking place. Simply having the plan is not enough, organisations need to know – be absolutely certain – that the plan works in practice. This is not news to businesses. In the same Ponemon study, insufficient planning and preparedness was identified as the most significant barrier to achieving cyber-resilience – named by 61 percent of organisations.[2]

In practice, this means going through “fire-drills” by simulating incidents. Simply put, yes, incident response is a process of continual improvement, but you should make sure your first run-though is not the real thing. Organisations of all sizes should test themselves regularly on their ability to respond – setting objectives ahead of the simulation and factoring the results into their processes.

Incident response is a new reality for mid-sized organisations. However, by adopting this common sense approach of creating plans for every eventuality, testing them in advance, and continuously factoring the results into procedures, mid-sized organisations can give themselves every chance of being resilient in the face of an attack.

Contributed by John Bruce, CEO and co-founder, Resilient, an IBM Company