Organizations Lack Incident Response Plans, but Answers Are on the Way - Dark Reading

CYBERATTACKS & DATA BREACHES Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. Organizations Lack Incident Response Plans, but Answers Are on the Way Developing strong incident response plans remains an area that requires significant improvement. Here are some shortcomings and how to address them. Arielle Waldman,Features Writer,Dark Reading April 11, 2025 3 Min Read SOURCE: YEE XIN TAN VIA ALAMY STOCK PHOTO Ransomware attacks are on the rise, data breaches are exposing sensitive information belonging to millions of individuals, and businesses are experiencing significant disruptions to their operations. Yet for many organizations, their incident response (IR) plans are outdated and ineffective at handing the current threats. Not having a strong IR plan can lead to financial and reputational damage, but organizations struggle to maintain plans that are both clear and thorough. As a result, victim organizations face more recovery challenges. For many, creating an IR plan is not considered a priority because they think they won't get hit with a cyberattack, their cyber-insurance policies will handle the problem, or there are other ways to deal with the incidents, says Alex Waintraub, senior director of cybersecurity at VMG Health. Waintraub will be speaking at RSA Conference in San Francisco later this month about "10 Common Flaws in Incident Response Plans." Related:Nation-State Actor Embraces AI Malware Assembly Line "The reason I started my whole white paper around IR planning was because of over 400 ransomware cases that I've worked on, maybe 1% had an IR plan and maybe one company, this law firm, was continually updating it," Waintraub says. What's the Problem? Industry experts and government agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA), tout the importance of developing and maintaining a strong IR plan. CISA has published guidance outlining what to do before, during, and after a security incident. Beforehand, actions include training the staff, reviewing the plan with an attorney, conducting attack simulations, and assessing and updating the plan quarterly. Afterward, actions include holding a formal retrospective meeting and updating procedures. Still, organizations struggle to implement these IR basics — that's if they even have a plan. While CISA recommends that organizations provide guidance on key activities following an incident, this information is missing from many IR plans, Waintraub says. Organizations also make the mistake of never testing their IR plans. IR is a stressful, often high-stakes situation that requires preparedness. Updating the plan is also critical as attackers adapt and advance their tactics and the government issues new data breach and reporting regulations. Ransomware Groups Are Listening   Defining clear roles and responsibilities, developing an effective communications strategy, and having an overall framework to deal with a cybersecurity incident are essential to a strong IR plan. Despite some improvements, Waintraub says, many organizations continue to flounder in all three areas. Related:Life Mirrors Art: Ransomware Hits Hospitals on TV & IRL "On the other side, we're hearing managed service providers saying, 'I've seen so many times the roles and responsibilities were all over the place.' You don't want to figure out at the time of a cyber crisis who is supposed to be doing what," he says. "I've seen it way too many times, including recently, where we're all trying to figure out who is the communication point for stakeholders and executives." Communication security is also essential. Many times, ransomware groups will maintain persistence in the victim organization's environment — sitting in email tenants or application servers — and know when IR is brought in to help. That makes IR even more challenging and complicated. "The toughest flaw, flaw No. 8, is testing your plan against the worst-case scenario," Waintraub says. Change Healthcare Attack Inspired Change The problem narrows down to three categories: organizations have an IR plan that does not cover the type of incident that's occurring, they have no plan at all, or they have a plan but haven't updated it. However, recent attacks may be pushing organizations to act.   Last year, the BlackCat/ALPHV ransomware group claimed responsibility for an attack against UnitedHealth's Change Healthcare. Cascading fallout led to severe disruptions for downstream customers, patient care, and reimbursement services. Related:The Case for Why Better Breach Transparency Matters It also resulted in the largest reported data breach, affecting more than 190 million individuals.   "Especially since Change Healthcare, I'm seeing a lot of companies ask me how to update and refine their plans" Waintraub says. '[They ask,] 'How do we write our plan for these types of incidents so that we're not down and have business interruption?'" About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.     More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBERATTACKS & DATA BREACHES What Should the US Do About Salt Typhoon? by Alexander Culafi, Senior News Writer, Dark Reading APR 10, 2025 CYBERATTACKS & DATA BREACHES Oracle Appears to Admit Breach of 2 'Obsolete' Servers by Jai Vijayan, Contributing Writer APR 09, 2025 CYBERATTACKS & DATA BREACHES Malaysian Airport's Cyber Disruption a Warning for Asia by Robert Lemos, Contributing Writer APR 02, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge THREAT INTELLIGENCE Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 MAR 16, 2026 THREAT INTELLIGENCE The Data Gap: Why Nonprofit Cyber Incidents Go Underreported MAR 13, 2026 CYBER RISK Cyberattackers Don't Care About Good Causes MAR 13, 2026 CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans MAR 12, 2026 Read More The Edge Want more Dark Reading stories in your Google search results?