Have you been a victim of a data breach? You’re not alone.
As an incident response (IR) professional, I have met many different types of corporate staff, from the IT staff to the C-suite. Unfortunately, it was probably on their worst day ever, and in our world, it’s most likely due to phishing or ransomware. According to the Verizon Data Breach Investigations Report (2023 DBIR), the median cost per ransomware more than doubled over the past two years to $26,000, with 95% of incidents that experienced loss costing between $1 and $2.25 million.
Many seasoned law enforcement personnel share the same sentiment, especially those that work in serious crimes. Like these responders, we’re walking into an active crime scene. Emotions are high, those involved are stressed and they’re having a difficult time wrapping their heads around what happened, why and, more importantly, how to resume operations.
While customers are the main victims of security incidents, followed by the enterprise, infosec teams on the front lines are also victims. Feelings of defeat, loss, failure of oversight and knowing that they could potentially become unemployed as a result are harsh realities teams face, especially when budgeting decisions were made without their input or if the enterprise didn’t have a business continuity plan in place. Often, victims will progress through the same five stages of grief that victims of other crimes experience.
The five stages of grief–denial, anger, bargaining, depression and acceptance–were developed by Elisabeth Kübler-Ross in a book she published called On Death and Dying. The model was used to describe terminally ill people facing death, but was quickly adapted as way of thinking about grief in general. Having guided many customers through data breach events to remediation, we’ve seen the “five stages of grief” model in action.
Looking at this model with an infosec lens, we have outlined the five stages of incident response grief and how to work through them for a better outcome.
Stage 1: Denial
“There’s no way this happened to us.”
“I really can’t believe this.”
These are just a few soundbites we’ve heard incident response (IR) customers express in the early stages after a breach. While it is important to acknowledge this ugly truth and sympathize with the situation at hand, there is no time to waste. You need to act fast.
Know that the threat actor is alive and well; the time is now to move forward.
Stage 2: Anger
“How could you let this happen?”
At this stage, reality sets in and folks can become angry. There might be anger toward management for lack of appropriate purchases over the last few years due to budgets, or anger toward third parties for mismanagement of the enterprises’ information, aka finger-pointing.
The reality: This stage is highly unproductive and the most useless in the entire process. Not only is the business already disrupted, but the issue could become compounded by someone’s effort to seek retribution.