All Insights
Article

Leading Through Crisis with Resilient Incident Response

August 20, 2025
coworkers looking at computer

Key Takeaways

  • Incident response should be treated as a strategic business capability rather than a reactive measure.
  • A proper incident response plan can significantly reduce the costs associated with a cybersecurity breach, potentially saving up to 58%.
  • Organizations need to proactively assess their preparedness for potential incidents, ensuring data security and implementing robust security strategies for both mobile and remote workforces.

When a single software update brought operations to a standstill around the globe, the message was clear: resilience isn’t optional.

To stay ahead, organizations must treat incident response as a strategic business capability — not a fire drill. The speed and quality of your incident response determines not only how quickly you recover, but whether you retain public trust, stay compliant, and protect what you’ve built.

Gauge Your Preparedness

For most businesses, a cybersecurity attack is not a matter of “if,” but “when.” Incident response can help organizations save significantly on the cost of a breach – paying up to 58% less than those that do not have a plan in place.

To start, ask:

  • What steps has leadership taken to ensure your organization is prepared to respond to an incident or data breach?
  • How confident are you that your business data is secure?
  • What steps have you taken to ensure your company's data is protected?
  • What security strategies have you implemented to protect a mobile or remote workforce?
  • What priority does security have within your IT team?
  • Do employees know how to recognize and report incidents?
  • What legal, regulatory, and industry compliance requirements do you have?

Create Your Incident Response Plan

Your incident response plan should be more than a document. It should be a practiced, proven process that empowers people to act decisively under pressure.

This includes:

  • Establishing clear definitions of roles and responsibilities.
  • Designating cross-functional response teams and implementing escalation protocols that are well communicated and understood by all stakeholders
  • Defining critical systems and data dependencies
  • Setting recovery time objectives (RTO) and recovery point objectives (RPO)
  • Building response playbooks and running quarterly tabletop exercises
  • Designing a communication plan to inform stakeholders and clients, which also outlines alternative communication channels

Effective incident response plans are built, practiced, reviewed, and improved on an ongoing basis. Practicing your organization’s plan can help you discover things that may be missed on paper. Here’s how:

  • Tabletop exercises. Cybersecurity professionals meet with business leaders, attorneys, IT professionals, and others in the organization to ask “what if” questions, identify scenarios, walk through how an incident could happen, and examine questions that arise.
  • Test your backups. Backup issues are one of the main reasons businesses end up paying when hit with ransomware. Pay particular attention to how long it takes to reinstate your backups. Is it weeks? Months? Years? Many businesses just don’t have that kind of time, which makes paying the ransom all that more enticing.
  • Penetration testing. Penetration testing exercises give you a full picture of any potential gaps. This testing can highlight weaknesses in your network configurations that could allow unauthorized and/or unsuspected access.
"Technology changes so fast that our internal team may not be up on keeping our environment safe. We didn't realize the amount of risk we had in our environment until we had Eide Bailly."

Security Assessment Customer

Incident Response Plan

An effective incident response plan includes the following components:

Preparation:

  • Incident Response Team: Clearly defined roles and responsibilities for team members.
  • Training and Drills: Regular training sessions and simulated incident drills to ensure readiness.
  • Tools and Resources: A list of necessary tools, technologies, and physical resources.

Identification:

  • Monitoring Systems: Continuous monitoring of systems to detect anomalies.
  • Incident Classification: Clear criteria for classifying the severity of incidents.

Containment:

  • Immediate Actions: Steps to contain the incident and prevent further damage.
  • Isolation Procedures: Methods to isolate affected systems from the network.

Eradication:

  • Root Cause Analysis: Identifying and eliminating the root cause of the incident.
  • System Cleanup: Removing malicious code and ensuring systems are clean.

Recovery:

  • System Restoration: Steps to restore systems to normal operation.
  • Validation: Ensuring that systems are functioning correctly and securely.

Lessons Learned:

  • Post-Incident Review: Analyzing the incident to identify lessons learned.
  • Improvements: Updating the incident response plan based on findings.

Three Non-Negotiables for Incident Response

In the heat of a breach or outage, your response hinges on how well you've prepared

  1. Containment - Isolate affected systems immediately to limit spread
  2. Communication - Notify internal stakeholders, regulators, and customers within required timelines
  3. Correction - Patch vulnerabilities, strengthen controls, and document root causes
Remember, in high-pressure moments, clear roles and trusted advisors make the difference between chaos and control.

Post-incident, remember to:

  • Conduct post-mortems with honesty and urgency
  • Update incident response plans to reflect real-world conditions
  • Align improvements to compliance standards
  • Rebuild systems with security and future risk in mind

The Role of Leadership in Incident Response

Security is not an IT-only responsibility. It is critical that leaders are collaborative about risk long before an incident occurs. Here’s what to consider.

Operational Leaders

Why it matters: Downtime is your enemy. Every hour of disruption impacts delivery, customer experience, and your ability to lead teams through uncertainty.

What to do: Treat incident response like an operational contingency plan. Ensure cross-functional roles are defined, tested, and rehearsed before the crisis hits. Embed incident response into your business continuity and supply chain risk assessments.

Technical Leaders

Why it matters: You’re expected to be both shield and strategist. One weak endpoint or misconfigured system can compromise your entire environment.

What to do: Build out technical response playbooks with automated detection, isolation, and remediation capabilities. Collaborate with business units to map system dependencies and align on RTO/RPO targets. Leverage threat intel and post-incident data to harden your environment for the next wave.

Financial Leaders

Why it matters: A single incident can trigger regulatory fines, audit flags, or customer loss. Risk management is now a bottom-line issue.

What to do: Evaluate the cost of underinvesting in incident response readiness. Budget for ongoing compliance updates, third-party audits, and business interruption coverage. Insist on quantifying risk in dollar terms and ensure post-incident reviews inform board-level reporting.

Real Incidents. Real Lessons.

Incident response isn’t just about planning for hypothetical scenarios — it’s about preparing for the very real disruptions that can strike without warning.

Here are two real-world examples where swift response and strategic planning turned potential crises into controlled recoveries.

The Impact of CrowdStrike

An energy and agronomy co-op was hit by the CrowdStrike outage. Their incident response plan kicked in immediately. However, their IT director was out of the office. With our outsourced managed IT team, they restored systems remotely, avoided major disruption, and protected customer confidence.

Stopping a Breach in Real Time

One client received a spoofed email from a customer. They contacted our team the same day. We identified that the customer’s system was compromised — before any damage spread.

By responding the same day, the organization avoided financial loss, protected its systems, and was able to help their customer contain their breach as well.

From "What If" to "Where Next"

Security is not a checklist — it’s a core business discipline. At Eide Bailly, we help clients shift from reactive protection to proactive planning. Our incident response and cyber security teams work together to:

  • Conduct readiness assessments
  • Build IR playbooks and governance frameworks
  • Ensure regulatory compliance across state and federal requirements
  • Train executive teams for decision-making under pressure

Technology will continue to pose opportunities for disruption. A tested incident response plan — paired with a trusted partner — can turn a potential breach into a quick resolution. Because, if you wait for a crisis to define your response, you’re already behind.

Let’s talk about how to embed resilience in your organization.

Expand Full Article

Embrace the Power of Outsourcing

Get proactive guidance to help optimize your technology investments and increase efficiency.
Talk to a specialist

Cybersecurity

Eide Bailly’s cybersecurity team provides guidance, strategic direction, and prioritization of business objectives and cyber risks.

Who We Are

Eide Bailly is a CPA firm bringing practical expertise in tax, audit, and advisory to help you perform, protect, and prosper with confidence.

About the Author(s)

Rob Else photo

Rob Else, CISSP

Manager
Rob helps our clients assess their cybersecurity posture to minimize risks and exposure to today's threats. He leads organizations through assessments and aligns their cybersecurity strategy with their business objectives.
402.691.5553