External Threat Notifications: A Strategy for Response
A practical framework for organisations to evaluate and respond to external cyber threat notifications based on source reliability and information actionability.
What to do during and following an incident to limit staff attrition
In Part 1, we covered the roles that experience elevated attrition following a cyber incident, and some of the drivers behind it. This week, we’re covering strategies to limit attrition caused by incidents.
Communicate clearly
Establish dedicated internal communication channels that provide regular, honest updates about the situation. Keep teams who usually engage with the team responding to the incident informed about their priorities and how that will affect their capacity for other work (limited to none). Create safe spaces for teams to raise concerns and ask questions without fear of retribution.
Support the team
Implement structured rotation schedules for response teams to prevent burnout. Offer immediate access to employee assistance programs. Offer practical support to help staff who are working long hours - food, accommodation, and support that extends to the family of staff members can have an outsized impact on how supported employees feel (85.7% of response team members surveyed by Northman said the quality of the food they ate was important).
Empower employees
Give response teams clear authority to make fast decisions within their domains. Rapid decision making should be praised, even where the right call (with hindsight) was not made. Focus your efforts on enabling staff with additional support from internal and external sources.
Recognise contributions
Protect team members from external pressure and blame while ensuring their efforts are visible to organisational leadership. Create mechanisms to acknowledge extraordinary efforts during the response period.
Provide time to cool down
With a big to-do list generated by the incident, the natural response is to keep pushing forward to address remediation and uplift activities. This is the right thing organisationally, but it’s important to build in time for individual members of staff - including executives and leaders - to take the time to unwind and reflect after an incident. These absences can be planned for and staggered to keep momentum while setting up the organisation for the long road ahead with refreshed and retained staff.
Conduct a post incident review (PIR)
Focus on systemic improvements rather than individual blame. Identify and address underlying organisational issues that contributed to staff stress during the incident and develop a plan to fix these issues. Use the review process to provide a voice for staff who want to be heard. Northman found 56.8% of staff would have liked to discuss and reflect with colleagues about the attack, and 71.5% of the response team wanted the time to apply the lessons learned - give them the platform to do so.
Invest in security enhancements
Demonstrate a tangible commitment to security improvements through resource allocation and strategic changes. Address capability gaps identified during the incident and share high-level progress. Have an initial focus on tactical measures that are most likely to prevent a repeat incident.
Provide opportunities for growth
Staff that have endured an incident have gained a set of valuable skills and experience. Review career progression plans in light of their gained experience. Consider proactive retention packages for key leaders who demonstrated exceptional capability during the crisis.
By acknowledging the human impact of cyber incidents and actively working to support affected staff, organisations can maintain their response capabilities while preserving the institutional knowledge critical for long-term security.
There are positives to experiencing a cyber incident - staff that have endured an incident together are often closer, with more trust in their peers, and a sense of camaraderie. But if organisations don’t take care of staff during and after incidents, they won’t be the beneficiaries of this dynamic, or the new skills and experience gained by their teams.
The true cost of losing experienced staff after an incident extends beyond recruitment and backfill expenses. It includes lost institutional knowledge, reduced response capability, and potential cascade effects on team morale - at a time when there is usually a large program of remediation and uplift work to deliver. Organisations that successfully manage this challenge set themselves up to build back faster and better.
