Documentation, policies and standards, oh my! These resources are not fun to create or update, but they are very necessary in the world of cyber incident response readiness. However, these resources are often overlooked in the busy world of responding to today’s events and tackling short-term to-do lists. Organizations should devote time and talent to basic cyber hygiene practices and ensure preparedness is top of mind before incidents occur.
Looking at Verizon’s 2026 Data Breach Investigations Report, “30% of breaches now start with software vulnerabilities, beating stolen passwords as the top way attackers get in.” This is the first time in the 19-year history of the report that exploitation overtook stolen passwords. This shows that organizations must map their supply chains, manage risk with their vendors, and prioritize tracking and patching vulnerabilities.
Cyber incident response readiness requires organizations to understand their weaknesses, document their risk tolerance, and align information technology resources and policies with overarching business goals and priorities. The task here is simple: every organization’s cybersecurity policy should include an incident response policy.
So, if step one of cyber incident response readiness is to have an incident response policy in place, then why aren’t organizations doing this? Some organizations do not think they are vulnerable to attacks or that their cyber insurance policies will cover incident readiness and response. Many organizations believe they have enough tools in place to detect intrusions and prevent attacks, while others simply do not have the time or resources to complete a cybersecurity policy, let alone a cyber incident response policy. However, there is a price to pay for doing nothing, and that price continues to increase every day.
From reputational risk to business downtime and disappointed customers, loss of trust, outages and delivery failures, organizations that fail to prepare for cyber incidents will pay a price for inaction. In fact, in that same Verizon report, third-party involvement reached 48% of breaches, a 60% increase from the prior year.
When an incident hits an organization that does not have a cyber incident response policy, confusion will ensue during a very stressful time. Employees will not know who oversees which activities, who is allowed to speak to the media, or where to report questions or concerns. There is no policy in place to test, which leaves the organization vulnerable to poor decision-making due to a lack of documentation, standards and policies, which could have been developed beforehand in a safe environment where changes can be made.
In those safe environments, organizations can create and test policies, incident response plans and playbooks. Policies are formal sets of guidelines or rules that govern an organization’s operations. According to the National Institute of Standards and Technology (NIST), an incident response plan is a “predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attack against an organization’s information systems(s).” Playbooks outline roles and responsibilities, as well as actions organizations can take during an incident that are specific to their industry. Testing these documents during an exercise allows organizations to identify gaps, prevent miscommunication, refine roles, create media materials, practice notifying legal authorities, preserve digital evidence, review cyber insurance policies, and become familiar with breach notification deadlines.
Once an incident hits, the time to prepare has passed. This is what organizations miss the most. The good news is that there are readiness resources available to help organizations avoid chaos in the middle of a crisis.
The National Cybersecurity Preparedness Consortium (NCPC) offers DHS/FEMA funded training at no cost to local jurisdictions to anyone in the United States and U.S. territories. NIST provides a free community profile focused on readiness: Incident Response Recommendations and Considerations for Cybersecurity Risk Management.
Utilizing these resources ensures that readiness is top of mind before incidents occur and allows organizations to establish roles, responsibilities and authorities, as well as practice how to detect, respond to and recover from incidents. Organizations that prioritize this work not only protect themselves; they protect the nation from evolving risks and emerging threats.
Amanda Lee Keammerer is a cyber defense and compliance instructor and Dr. Bart Taylor is the Cybersecurity Program Director with the Texas A&M Engineering Extension Service (TEEX) National Emergency Response and Recovery Training Center (NERRTC).