Cisco UK & Ireland Blog

You’ve been breached. Now what?

May 18, 2017

Security is top of the agenda for most businesses. But even the best defences aren’t perfect, and breaches keep happening. Are you ready to respond if your company comes under attack?

Let me tell you a story

It’s a typical Tuesday, 8am. You’re at your desk (or your favourite spot in your local coffee shop), catching up on emails over a coffee, enjoying the quiet before a day full of meetings.

Man using tablet drinking coffee

The news could reach you anywhere. Don’t spill your coffee.

An instant messaging window pops up — it’s your network manager, Brian. He’s an old hand, a veteran, but even over IM you can tell that he’s panicking.

08:01<Spotted something odd on the dashboards this am>

08:01<Checked logs … news not good>

08:02<Looks like someone got in to the web servers>

08:03<Still digging… no idea when it started or how far they got>

08:03<What if they got the customer database?!?!?!?!?>

Your calm evaporates. Your gut tightens into a knot. Your fingers hang frozen over the keyboard.

What do you do?

Prevention is only half the battle

Nearly every business has a horror story of their own that starts just like this one. Lloyds of London estimates that 92% of European businesses have experienced a breach (although not all of them have been discovered, or disclosed).

That number may be startling, but it’s easy to explain.

One in three UK organisations say they get more than 50,000 security alerts each and every day. On average, only half of these alerts are investigated. Why? Because security teams are understaffed, and equipped with a patchwork of manual systems and processes that can’t cope with such a volume of alerts. So it’s no wonder that some attacks get through the defences.

Man facing bad news

Your security team is overworked. It doesn’t help that they’re working with the lights off. Metaphorically and, in this case, literally.

The good news is that suffering a compromise doesn’t have to be the kind of world-ending event that brings CIOs out in a cold sweat. The key is to move beyond focusing only on preventative security measures, and start planning for how to react quickly and decisively when an attacker inevitably gets in.

All the research shows that reacting quickly is a major factor in controlling the damage caused by a compromise. You have to rapidly assess the scale of a compromise, contain it, kick out the intruders and close the vulnerabilities.

Only 41% of respondents surveyed by Ponemon said they were prepared to respond to a breach involving business confidential information and intellectual property.

Your cybersecurity emergency service

So how exactly can you get better at reacting to incidents?

Every breach is unique, and to respond effectively you need people with highly specialised forensic skills and tools. People who can stay one step ahead of the hackers.

Unfortunately, most companies don’t have the resources to keep a crack team of security investigators standing by 24×7, waiting for the call.

We do. It’s called the Cisco Security Emergency Incident Response Service.

When a security event happens, you can pick up the phone to us, any time, night or day — even if you’ve never worked with us before.

We’ll triage the situation, build a response plan, and mobilise our team of incident responders to get to your site, fast. They’ll bring with them not only decades of breach experience, but our whole armoury of security solutions, to give them the data and control they need to monitor and contain the situation.

Security responders

Our people are seasoned security veterans with all the latest equipment, including glasses and beards.

When they’re on site, our experts will be constantly connected to security teams across Cisco, including our Talos threat intelligence researchers, who monitor millions of security events every day (you may have seen their analysis of the recent WannaCry ransomware). You’ll have the whole might of the world’s best security organisation in your corner.

With the incident under control, we’ll turn our attention to remediation. It’s vital to understand the root cause of the breach and work to redesign the infrastructure and processes within your business to prevent a reoccurrence, and help your organisation recover as quickly as possible.

Out of the woods?

So you’re through the worst, and the incident is a distant, if painful, memory. Don’t be fooled into thinking that your first breach will be your last.

That’s why we offer our incident response service on retainer. You get the reassurance that, whatever happens, we’re there to help. But you get more than just the reactive breach response — you get a host of proactive, preventative services to help your security measures get fighting fit. We can offer readiness assessments, tabletop exercises to test your plans, and ad hoc support with everything from code reviews to penetration testing. Best of all, you’re assigned a dedicated team, who get to know your organisation and its people. They’re truly an extension of your business.

Security team

Our dedicated security experts will work with you, shoulder to shoulder. They may, however, suffer from back pain in later life due to poor posture.

So when you’re sat on that Tuesday morning, with that IM cursor blinking in front of you, you can stay cool, calm and collected, pick up the phone to us, and put your well-honed response plan into action.

Don’t wait for a crisis to happen

Start planning your incident response strategy today. Check out our white paper for all the facts about the stages you should include in your incident response planning. Find out more about our incident response services here. Or visit us at the InfoSecurity event, London, June 6–8. You can find us at stand D19.

Leave a comment


  1. Here’s the recording from our incident response services presentation at InfoSec. It’s 15 minutes long, so a great quick overview of the topic: