The other day I was listening to a story about a security incident. It happened in a middle-sized company.

One of their email accounts was compromised and thousands of emails were sent out in their name.

Their domain got to blacklists used to block the spread of infections.

They fought for about two weeks to be removed from these lists and get back their email services to normal.

Two weeks without emails. Just try to imagine.

The whole incident was told by the rightfully proud service provider (SP) who basically run an ad-hoc disaster recovery plan (DRP) and helped them out quickly.

The success is clear on the side of the SP. They did very well.

I started to think, what is the difference if this company works with us too?

Yes, there is a quick answer, which is about costs😊

It can be obvious, but not necessarily true.

Most companies are learning this afterwards a similar situation.



Before everything else, I have to tell I have been in these situations. With and without plans.

Sometimes we had business continuity plan (BCP), incident handling procedures and DRP as well. Sometimes not. The difference is huge. Especially in stress level and the speed of response and recovery (return to normal operations).



The first difference can be that probably they could have avoided this situation completely.

If they had a cyber security program in place, including a security awareness program.

An awareness program teaches your employees about the rules and the hygiene in the cyber space.



The second difference can be, that you have plans when something happens.

Then you are in control of the situation and not just follow happenings. Which are not clear for your team in most of the cases, because no one ever explained them.

If you have plans, that is great. Let us try them out. Let us see how they work. And when you see it working you will be in a very different state when something unwanted happens.



The calmness and control of the management with tested plans, will help employees to stay calm, follow plans and instructions.

Your team is prepared and not desperate and clueless. You all know that it will be solved soon.

Your team does not have to invent things in the heat of the moment.

In this situation the talking to your customers, suppliers, employees, banks, authorities, stakeholders, and in some cases to the media can be very exhausting and stressful.

And basically, very unnecessary if your company is prepared.



The last thing is about recovery.

If you have a plan and there are procedures and known and tested plans, your return to normal operations is much faster and with less stress.

It is like testing back-ups time to time, everyone knows that they are working, so everyone can be more relaxed.



The “bad news” is that all of these preventive steps are the responsibility of the management. They have the power to make it and make it happen.