Blog: DFIR

6 non tech things you wish you had done before being breached

Luke Davis 03 Dec 2024

Introduction

When a breach happens, it’s not just technical defences that matter. Preparation in non-technical areas, like having key documents printed or emergency contacts accessible, can make all the difference. In this blog, we highlight six simple yet essential steps to help you prepare in case of a breach. 

TL;DR

  • Print key documents: Keep hard copies of insurance policies and IR playbooks.
  • Create a WhatsApp group: Use personal numbers to stay connected.
  • Plan for unreachable execs: Delegate authority for critical decisions.
  • Secure IR contracts early: Be ready to act fast with a trusted provider.
  • Save IR contacts: Store key numbers on your personal phone.
  • PR and Legal: Ensure you or your IR partner have plans in place to cover legal and PR.

1. Print out your insurance policies and IR playbook

It’s really important to contact your insurer as soon as you suspect a breach. If you make the situation worse by trying to respond to the incident, you could invalidate your insurance cover. They will have access to experts to help you respond and recover.  

Even if your policy doesn’t cover cyber, they can likely still get you in touch with experts and will likely have negotiated you a better rate. 

BUT 

All your email and servers have been encrypted. Where do you keep your insurance documents? On a fileshare on one of those servers? 

Good luck finding the claims number in a hurry. Even better luck finding your policy number. 

Also threat actors are know to search file share data for insurance cover… guess how much the ransom demand will be… 

So print out your insurance documents and put them in a folder. If you have an incident response playbook, print that out too and keep it somewhere safe. You might keep a copy at home, as things often go sideways at the weekend or other inconvenient times. 

Be careful that you don’t keep sensitive data in unsafe environments though. 

2. Set up a WhatsApp group for key stakeholders on your PERSONAL phone with their PERSONAL phone numbers

Your work phone probably integrates with your corporate domain for security policy enforcement. That domain is now shot to pieces with ransomware. 

So your work phone may now not have access to anyone’s phone numbers, as they are all stored in the Global Address List, on in a similar online directory. 

All of your colleagues may have a similar problem. Do you even know their personal phone numbers? Emergency and next-of-kin contact details are probably in an HR app somewhere on your ransomwared network too. 

Create a WhatsApp group with personal contact details. Explain why you’re doing it, as a last resort in the event of a serious outage. 

You’ll be very glad you did. 

3. Make sure delegated authority is in place when you can’t get hold of the C-suite

Ransomware operators know when your working hours are. A savvy attacker will trigger their attack in the middle of the night, choosing a timezone when most of your senior execs are asleep. Or maybe they’re at a corporate retreat, uncontactable, or on a plane without connectivity. 

If your senior execs are uncontactable, who has delegated authority to turn off or disconnect parts of the network to prevent spread of the ransomware? Critical revenue generating systems may need to be powered down. Does the mandate cover that? 

4. Get an incident response contract in place beforehand

Who ya gonna call? How are you going to get a contract done with an IR provider? Email doesn’t work, you can’t get hold of legal. How is the IR provider going to respond if you can’t arrange access for them, as comms are down? 

Do the planning work beforehand, find a trusted provider and get contracts and access authorities in place before you need them. The responder will be able to intervene far, far faster and can help limit damage and get your business back on its feet much faster. To re-use a phrase; don’t turn a drama in to a crisis by not being prepared. 

5. …and whilst you’re there, make sure you have key IR phone numbers on your personal phone

There’s no point having an incident response provider on contract if you can’t contact them! Get their contact details on to your personal phone and ensure there’s a second WhatsApp group for them at the ready. 

6. Ensure you or your IR partner have plans in place to cover legal and PR

When a breach occurs, the technical fallout is only part of the battle. The real challenge often lies in managing the legal and public relations (PR) consequences.

Without a pre-established legal and PR strategy, organisations risk regulatory fines, legal challenges, and irreparable damage to their reputation. Partnering with an incident response (IR) team that offers legal and PR support ensures you’re prepared to navigate these complexities. From crafting compliant breach notifications to controlling the narrative in the media, a well-prepared IR partner can protect your organisation’s credibility while helping you meet legal obligations—proving that preparation is just as critical outside the IT room as within it.