Cybersecurity Incident Management: 5 critical mistakes
The way a cybersecurity incident is responded to often determines the scale of its consequences—both business and legal. Many companies focus solely on technical aspects, while errors in processes and legal management can prove equally costly. Below is a list of five critical mistakes we often encounter when handling incidents or later, when we are asked to help combat the effects of these incidents.
Mistake #1: Lack of incident response culture and procedures
Many companies focus on formally developing procedures, treating them as a compliance requirement to be checked off. However, the mere existence of a document does not guarantee an effective response in a crisis. What is crucial is an organizational culture in which the employees responsible for handling the incident understand their roles and know what to do.
Most organizations treat incident response procedures as theoretical documents that are put away in a drawer. When an actual incident occurs, it turns out that no one knows what to do, who to notify, or what steps to take. Time pressure and stress make even a well-written procedure useless if it has not been tested beforehand.
Therefore, in our opinion, testing and verifying procedures is crucial. Organizations should conduct simulation exercises and crisis scenarios at least once and refine their incident response procedures based on these experiences. Only through practical exercises is it possible to identify gaps and problems. Testing also allows you to develop efficient communication mechanisms and verify that the assigned roles are appropriate for the competencies of your employees.
Mistake #2: Failure to define legal and contractual requirements for reporting
The second critical mistake is the failure to comprehensively establish all legal and contractual requirements for incident reporting that apply to a given organization. Many organizations focus solely on the obligations under the GDPR, DORA, or the National Cybersecurity System Act, completely ignoring the obligations arising from concluded contracts.
The typical approach is to include the GDPR deadlines in the procedure – 72 hours to report to the supervisory authority, immediate notification of data subjects, and end of the procedure. The organization considers that it has fulfilled its information obligations – meanwhile, this way of thinking overlooks an important area of contractual responsibility.
In practice, many contracts concluded with contractors contain provisions requiring notification of breaches. This applies primarily to personal data processing agreements, in which the processor undertakes to immediately notify the controller of any breach. However, we have also seen similar contractual provisions in IT service agreements, outsourcing agreements, and non-disclosure agreements (NDAs). Failure to comply with these contractual obligations may result in contractual sanctions, contractual penalties, termination of the agreement, and liability for damages suffered by the contractor.
In this context, the key question is: does the legal/contract department systematically map and document all notification obligations arising from the contracts concluded? Is there a knowledge base/repository with information on deadlines, procedures, and recipients of notifications? In most organizations, the answer is no. The result is a situation where, after an incident is detected, the organization focuses on reporting to public authorities, forgetting its obligations to its contractors.
Even the best team will not fulfill obligations it is not aware of. And during an incident, there is usually no time to review all contracts.
Mistake #3: Lack of coordination and a designated Incident Manager
The third significant mistake is the lack of a clearly designated person responsible for managing the incident response. The IT department focuses on technical aspects, the legal department finds out too late, and the management receives information in a fragmented manner or in a way that is not adapted to their communication style.
Effective incident management requires the appointment of an Incident Manager – a coordinator who has comprehensive knowledge of what needs to be done, is able to assign tasks to individual team members, and effectively coordinates their execution. The Incident Manager does not have to be a technical expert or a lawyer – their role is to manage the process, ensure communication between departments, monitor progress, and make strategic decisions. However, they must act as a command center during a crisis:
- gather information from the IT team;
- consult notification obligations with the legal department;
- coordinate communication between teams;
- ensure deadlines and documentation are met. Without appointing such a central figure, incident management can descend into chaos and make it difficult to fulfill responsibilities in a timely manner.
Mistake #4: Errors in risk analysis
The fourth often overlooked aspect is the proper analysis of the risks associated with the incident. In a crisis situation, it is crucial to quickly and accurately assess the severity of the consequences, the likelihood of the threats materializing, and the priority actions to be taken.
The first problem is the lack of a consistent risk assessment methodology. Different people may assess the same incident completely differently – for some it will be a serious breach requiring immediate reporting, for others a minor technical incident. The lack of uniform criteria leads to subjective, often erroneous conclusions.
The second problem is insufficient experience in estimating the impact of an incident. Assessing how many people have been affected by the breach, what categories of data have been disclosed, and what the consequences may be are tasks that require not only technical knowledge but also an understanding of the business and legal context. An overly optimistic assessment can lead to a failure to comply with reporting obligations, while excessive caution can lead to unnecessary escalation.
The issue of assessing probability is similar. Organizations are often unable to realistically assess the risk of further escalation, whether the data can be used by third parties, or whether the incident may recur. The lack of historical data and analytical tools means that assessments are based on intuition.
It is crucial to develop a consistent risk assessment methodology. It should include clear criteria for classifying incidents, decision-making algorithms, and procedures for estimating the impact and probability. It is equally important to build team competence through training and access to tools that support risk analysis.
Mistake #5: Errors in communication with data subjects
The fifth significant mistake is improper management of communication with data subjects. Article 34 of the GDPR requires that in the event of a high-risk breach, the controller must communicate the breach to those individuals without undue delay.
However, Article 12 of the GDPR, which sets out the requirements for transparent information and communication, is of key importance here. The controller should provide information in a concise, transparent, understandable, and easily accessible manner, using clear and plain language. In the context of an incident, the message must be structured in such a way that the person can understand what has happened, what the consequences are, and what action they should take.
In practice, organizations make a number of mistakes:
- communications are too technical, full of legal or IT jargon, and therefore incomprehensible to the average recipient;
- communication is sometimes incomplete—organizations focus on the circumstances and causes of the incident, while omitting practical recommendations on what the recipient should do;
- communication is often delayed – organizations procrastinate in the hope that the situation will quickly be brought under control,
- and finally, communication is sometimes inconsistent – different channels convey different versions of information, which raises doubts about the credibility of the organization (a different message for the press, contractors, and data subjects).
Proper communication requires careful preparation. It is a good idea to prepare ready-made templates written in simple language, containing all the elements required by the GDPR and practical tips. It is equally important to ensure consistency of communication across all channels and to prepare the team to answer questions from customers, contractors, and other interested parties (e.g., journalists).
Summary
Cybersecurity incident management requires not only technical competence, but also legal awareness and organizational skills. The five mistakes described above are the most common pitfalls for organizations that have not yet faced an incident.
Avoiding these mistakes requires a proactive approach – preparing the organization for an incident before it occurs. Implementing and testing procedures, mapping reporting responsibilities, appointing an Incident Manager, and developing communication templates are investments that can significantly reduce the scale of damage.
Contact our specialists, who will help you prepare to deal with an incident and can also support your organizations in testing incident management.
KONTAKT
