When the Breach Happens: Building a Human-Centred Cyber Incident Response

In today’s hyper-connected world, the question for most organisations is not if a cyber incident will occur, but when. The speed and complexity of modern threats require more than just technical controls or firewalls, they demand mature, human-led preparation that places resilience at the heart of business strategy. As cybersecurity professionals, we know that how an organisation responds when the worst happens can shape reputations, restore trust, and ultimately define long-term success.

At the heart of effective response lies a strong, regularly reviewed Incident Response Plan. This document isn’t simply a compliance requirement, it’s a practical playbook that determines how teams communicate, who makes which decisions, and how to act under pressure. A robust plan lays out severity levels for different types of incidents, escalation paths, and clearly identifies decision-makers. It defines who has authority to take systems offline, make public statements, or, in extreme cases, decide whether to pay a ransom. Crucially, it lists key contacts across departments: IT, legal, HR, comms, external counsel, and ensures there are backup names in place, because crises don’t wait for annual leave to end.

But planning alone isn’t enough. No one becomes battle-ready by reading a manual. Organisations need to test their incident response plans regularly, at least once a year, with realistic exercises that simulate the pressures of an actual event. These drills, which can range from table-top discussions to full technical simulations, should involve the board as well as operational teams. Involving external partners such as key suppliers, regulators and law enforcement helps test the full chain of response. And when things go wrong during a test that’s a gift: every failure is a lesson you don’t want to learn for the first time during a live breach.

The legal and regulatory side of incident response is just as critical. Many organisations underestimate the time pressure of mandatory reporting requirements, such as the 72-hour window to notify the Information Commissioner’s Office under the UK GDPR. Others aren’t fully aware of sector-specific obligations under frameworks like NIS. A well-prepared organisation builds these requirements into its planning from the outset, mapping out who notifies whom, and ensuring legal teams are involved early. Fumbling a regulatory response during a breach only compounds the damage, making a stressful situation worse.

When the alarms sound and an incident escalates, the board’s role becomes vital. While the day-to-day response is led by operational teams, the board sets the tone, offering strategic direction, reassuring stakeholders, and ensuring that decisions align with long-term values. That includes making time-critical choices, like whether to shut down systems or communicate publicly, often under intense scrutiny and limited information. It’s essential that these conversations have happened before the incident, because hesitation can be costly, and ambiguity risks both security and public trust.

One of the most overlooked areas in incident planning is people. Not just the incident response team, but the entire workforce. Staff need reassurance during a breach, they need to know what’s going on, what’s expected of them, and where to find reliable information. Effective communications, internally and externally, help contain panic and maintain cohesion. This means having prepared messaging templates, designated spokespeople, and even support channels for staff welfare. In the eye of a cyber storm, empathy is just as important as encryption.

Recovery doesn’t end with restoring systems. Every incident is a learning opportunity. Organisations must conduct thorough post-incident reviews, looking not only at technical failures but also process gaps, communication bottlenecks and cultural blind spots. A blame-free environment is essential here; people need to feel safe surfacing mistakes or near-misses without fear of repercussions. These insights should directly shape future planning, training and even procurement strategies.

Third-party coordination is another vital piece of the puzzle. Very few organisations operate in isolation today. Incidents affecting suppliers or partners can ripple through your systems just as surely as a direct attack. That’s why your incident response plan must extend to include key external partners, clarifying roles, obligations and expectations in times of crisis. Contracts should include incident response clauses, and joint exercises can reveal how resilient your supply chain really is.

Lastly, incident response must never sit apart from wider business continuity and disaster recovery planning. Cyber threats don’t exist in a vacuum, they disrupt operations, prevent payroll, stall customer service and bring logistics to a halt. Your cyber response should dovetail seamlessly with your continuity playbook, ensuring essential services can continue, even if under degraded conditions.

Resilience isn’t just about technology, it’s about culture, preparation and leadership. It’s the ability to withstand disruption, recover with integrity, and emerge stronger. A well-tested incident response plan is more than a safety net; it’s an organisational strength. And when combined with human readiness, honest communication, and a supportive culture, it becomes one of the most powerful tools in your defence strategy.

When the breach happens (and it will) it’s the care and clarity with which you’ve planned, tested and communicated that will carry you through. That’s not just good security practice – it’s good business.