Essential tips to ensure you bounce back after a cyber attack

The good news is that it’s never too late to review your organisation’s readiness and ensure your defences and incident response plans are fit for an age of ever more sophisticated attacks. Cyber criminals aren’t going to be taking a step back in 2026, but by following a few recommendations you can help ensure your organisation is prepared to meet their challenge.

Expect the unexpected

When organisations are drawing up plans for how to deal with a potential attack, they should consider the types of ‘severe but plausible’ scenarios they might face so that they can prepare and rehearse playbooks. These scenarios are often complex and multi-faceted.

For example, if organisations rely heavily on external suppliers to run their technology, they might consider an attack on their operation. Other scenarios include physical and digital attacks happening in parallel, as well as the more obvious ransomware and data theft situations.

Recent attacks have underlined the importance of having a playbook for each scenario to the success of the recovery. A surgeon doesn’t operate on a patient without years of learning, training and practice; firms shouldn’t attempt open heart surgery on their operations without meticulous planning, preparation and rehearsal.

Rehearse, rehearse and rehearse some more

Playbooks need to be rehearsed to build ‘muscle memory’. Last year’s attacks saw firms needing to rebuild major parts of their technology estate. Organisations need to prepare for such contingencies to avoid being caught on the hop.

Think about the way that a Formula 1 team prepares for a pitstop. This lightning manoeuvre is meticulously planned and rehearsed with teams becoming familiar with the most likely scenarios, as well as a handful of alternatives.

For businesses, this isn’t just about a technical rehearsal; there’s also a need to understand who will say what, and when, to customers, regulators and the media. Too often, recovery becomes a piecemeal activity with teams trying to combine the best of what they know from experience while also second guessing the attacker’s next move.

There’s no reason why a cyber attack recovery shouldn’t be finely tuned like an F1 team. Conversely, trying to rebuild a major part of your technology estate having not fully rehearsed the scenario is likely to lead to lengthy recovery times which can have huge commercial consequences and impact on share price (as we’ve seen from attacks this year).

Spot the intruder

It might sound obvious, but you need to know when you’re being attacked. There have been examples of attackers infiltrating systems and going unnoticed for days and sometimes weeks. They do this by disguising their activity so that it looks ‘normal’ and avoids triggering alerts. That means they have time to harvest data and intelligence before being detected.

You also need to know what you’re protecting and where exactly your ‘crown jewels’ are located. For example, not all data might need equal levels of protection. Some will be highly valuable to an attacker, while other data may be of no use at all.

A combination of a highly sophisticated security operations centre (SOC) and security information & event management (SIEM) data can help firms to detect unusual activity across their estate. Alerting and analysis tools are improving all the time, and we’re seeing some use AI to recognise a ‘normal’ pattern of behaviour vs an attacker’s behaviour. Although these tools come at a cost, this is a drop in the ocean compared with the losses an organisation could face if attacked. This is ultimately about staying one step ahead of potential attackers in the arms race.

Having a cyber-savvy workforce is often the first line of defence; they may be able to prevent attacks by spotting unusual behaviours. Many firms invest in cyber awareness training to, for example, help individuals to spot phishing emails.

Fill skills gaps with external help

There are several capabilities that organisations need in order to be able to respond to a cyber attack, that don’t typically exist in their business-as-usual operation. A good example is ransom negotiation capabilities.

Enter specialist firms that act as an intermediary between the attacker and the company, while providing insight around attackers’ typical behaviour. Even if organisations have no intention of paying a ransom, it’s unlikely they will have the skills to conduct a complex negotiation with an attacker and these firms can therefore fill a critical gap.

Forensic support is another good example of where companies may want to call in outside help. When an attacker compromises your technology, you need to be able to preserve evidence for the criminal investigation, as you would with any other serious crime. This means you have to balance the need to rapidly get the technology back online with the need to assist the investigation. Having a forensics team waiting in the wings to preserve criminal evidence is not a capability most firms have.

Operating in a crisis will feel very different to the average day for most people and we often see a ‘fight or flight’ mentality. It’s important to prepare all employees for a shift in the intensity of work, but also to make sure there are checks and balances so that their wellbeing is considered. Recovery can go on for weeks and it’s impossible for even the most highly performing teams to operate under extreme stress for that length of time.

Many firms are already heavily regulated to make sure that they prepare for these types of attacks. Those that aren’t are likely to be soon (especially if operating critical national infrastructure). As we reflect on the attacks we saw last year, firms need to consider the investment required in 2026 to help avoid being the next victim.

This article was originally published in Management Today.