How can your organization prepare for a cyber incident?


Every day the media come up with news about cyber attacks, data leaks or ICT malfunctions caused by suspected cyber attacks. It turns out that organizations are often poorly prepared for such a cyber incident. This is unwise, because such incidents can cause enormous disruptions. Today, any organization can fall victim to a cyber attack due to exploited vulnerabilities in its own network or in those of software vendors. These are usually not specifically targeted at your organization, but in some cases the attacks do target a specific organization.

Incident Response, ransomware cyber attack

Prevention is always better, of course, but practice has shown that the threat is so varied in nature that as an organization you would do well to be prepared across the board for all possible scenarios. As a director or CEO, how do you ensure that your organization is well prepared for a cybersecurity incident? By developing an Incident Response strategy and plan.

What is Incident Response?

Incident Response is the process an organization uses to deal with an IT Security incident and its consequences. Four fundamental steps of Incident Response are:

  • Step 1: Setting up technical preparation
  • Step 2: Forming an Incident Response Team
  • Step 3: Create Incident Response Plan
  • Step 4: Training, practicing and learning

Step 1: Setting up technical preparation

In Incident Response, technical preparations are the starting point. For example, to build a forensic trail (digital trail) of an incident, it is necessary for all kinds of log files to go back as far as possible in time: at least three months, but preferably longer. These include the logs of firewalls, antivirus and malware packages, the Active Directory, Office365 and Windows events, among others. You can also activate and monitor detection technology already in your IT infrastructure.

Step 2: Forming an Incident Response Team

It is essential to bring together the staff who will take on the required tasks in an Incident Response team, which can also act as a task force for cyber incidents. This includes analyzing and monitoring threats, as well as coordinating during an IT Security incident. Make sure it is clear who the team members are, what responsibilities they have, and – perhaps most importantly – make sure they are properly trained and educated. Many organizations seek the assistance of a Computer Emergency Response Team from a specialized IT security company such as NFIR when IT security incidents occur.

Step 3: Create Incident Response Plan

An Incident Response plan (IR plan) allows for coordinated and effective response to an incident. It includes a set of instructions to help your staff detect, respond to and recover from security incidents. Examples of an IT security incident include an outage, a data breach or a digital attack. The goal is to respond quickly and appropriately to reduce impact, minimize damage and repair work. Part of the IR plan is a risk assessment that identifies specific risks to your organization. What systems do you have company information on? What resources are used for this purpose? What information needs to be protected? Where is the information located and what are the legal obligations in the event of a data breach? Next, you will create a clear roadmap outlining the steps that need to be taken and which individuals and parties need to be involved or informed in the event of an IT Security incident. NFIR can assist you with this. For example, we offer a training course in which our experts take you through the process and roadmap for an Incident Response plan. NFIR’s co-drafting of your IR plan is also possible.

Step 4: Training, practicing and learning

Make sure the plans are kept secure (preferably on paper), but are accessible to those who need to access them in the event of a cyber incident. Train Incident Response team members well in all aspects of their job. This can be done, for example, with NFIR’s Incident Readiness training . In addition, it is very important to practice incidents in a realistic way so that team members really start functioning as a team. These crisis simulations train the team to respond appropriately to incidents. This can be done at NFIR, for example, with an Incident Response Dry-run (simulation with “injects” of a successful ransomware attack).

Communicating is important

Effective communication is crucial in a cyber incident. This applies to internal and external communications.


When an employee suspects that an incident is occurring or there is a threat, that person must be able to raise the alarm quickly. Make sure your employees know how, and properly arrange for 24/7 reporting. Also, make sure it is clear who is communicating with external parties (such as an ICT vendor, cloud provider, the Personal Data Authority or, if necessary, a Computer Emergency Response Team). Make sure employees are aware of the hotline, scenarios and any other contacts. If employees know the plan exists, what it entails and how to report incidents, action can be taken quickly. Regular updates to your employees about a cyber incident and progress are also important.


Finally, good external spokesmanship on a cyber incident is essential. Every organization has stakeholders such as suppliers, customers and partners who have the right to be properly and timely informed about the possible consequences of a data breach and business continuity for them. Where possible, your organization will provide actionable advice to those affected by the IT Security Incident.

Security incident? Meet Incident Response

Our Incident Response team is available 24/7 to identify and resolve any cyber incident.

Emotet is so-called “polymorphic malware” – which constantly adapts itself to avoid detection. The malware is often used by cybercriminals as a springboard to gain access to corporate environments. Once inside, attackers often look for ways to gain further access to the network.

Read the full article: What is Emotet malware? and what does it do?

At the moment that unauthorized persons (can) access personal data, there is a potential data breach. In many cases, organizations are required to report the incident to the Personal Data Authority (AP). The AP was established and designated as the regulator of the General Data Protection Regulation (AVG) and the AVG Implementation Act (UAVG). When a data breach occurs depends on the circumstances. For example, a data breach need not be reported if the risk to rights and freedoms of data subjects is limited. This is in contrast to when an unauthorized person gains access to a customer’s passport or bank account number. After all, in that case, misuse of identity or financial consequences cannot be ruled out. Such incidents must be reported to the AP within 72 hours.

Read more: When am I dealing with a reportable incident/data breach?

Yes, we are available 24/7 for SMEs, multinationals, government bodies, educational institutions and non-profit organisations. Within three hours, an incident response (CERT) team is present at every location in the Netherlands (Wadden Islands excluded).

CERT stands for Computer Emergency Response Team. The attribute is awarded by Carnagie Mellon University to companies and teams involved in digital security incidents. In the Netherlands, there are a number of official CERTs of large organisations involved in combating cyber incidents, such as the NCSC, the IBD, the Ministry of Defence, telecom organisations and banks.