Cyber Security Incident Response Management, Training and Exercises

"Thankfully, we now live in a world where it is accepted that data breaches happen and organisations are more comfortable disclosing that they have been victim to an attack. However, with this welcome move away from victim blaming, organisations are now being judged more on how well they manage a breach.”

Brian Honan in Computer Weekly





How well does your organisation manage its cyber risk?  Do you have a response plan for cyber incidents?

PlanB Consulting is here to help your organisation be prepared to respond to cyber incidents and manage your cyber risk. 

Our Service: Cyber Gap Analysis

The SUNBURST hack in 2020 of the SolarWinds Orion Software showed that any organisation could be vulnerable to a cyber breach. The hack compromised 18,000 of the organisation's systems' including many USA Government organisations.

No matter how well prepared an organisation is, there is always a risk, so the key is to prepare your response as well.

Large organisations like Equifax, Marriot and Travelex have demonstrated the repercussions of a poor cyber incident response, and are good examples of how not to manage a data breach

Many of the mistakes they made in their response could have been avoided by training, preparation and exercising.

To avoid your organisation making the same mistakes, PlanB Consulting can audit your organisation and assess your level of preparation in managing cyber risk.

Our Gap Analysis

PlanB Consulting can carry out a full review of your level of preparation, maturity level if required and then produce a gap analysis which details the suggested work you should carry out.

PlanB Consulting can provide your organisation with a Cyber Gap Analysis covering the following 6 areas:

1.     Risks
Does your organisation understand what you have to lose during a data breach?  Have you had a comprehensive cyber risk assessment and audit carried out on your cyber risks and vulnerabilities? 

2.     Technical Response
Are there plans and playbooks in place for dealing with the different cyber incidents the organisation could face? Have recovery and disaster recovery plans been tested?

3.     Crisis Management
Do you have crisis communications plans and procedures in place for different types of cyber incidents?

4.     Communications and Reputation Management
Do you have comprehensive communications plans in place for different types of cyber incidents?

5.     Third Parties
Do you have relationships or contracts in place with appropriate third parties which could fill in-house knowledge gaps and provide expertise?

6.     Exercises and Training
What is the level of cyber knowledge of those who would respond to a cyber incident and what training they have had? When were the plans last exercised and have cyber scenarios been exercised?.

Methodology for the gap analysis

The following are the stages of the gap analysis:

  1. Project kick-off meeting
  2. Document review
  3. Interviews with key organisation personnel
  4. Write up and agree on the report
  5. Deliver report
  6. Optional report presentation to senior managers


Report identifying the organisation cyber incident management gaps against best practice and recommendations for improvement.

To book a gap analysis click here

Our Service: Cyber Exercises

You are going to be hacked: Have a plan,” said Josef Demarest, of the FBI. "You should also test and exercise that plan". 



When British Airways, Marriott, Travelex, and Equifax were hacked, their poor responses and the fallout this caused has highlighted the need for companies both large and small to be prepared for managing the external response to a cyber attack.

PlanB Consulting offers a wide range of cyberattack response exercises for organisations to explore and practice their incident management plans.

We have delivered a large number of different exercises from a full SIMEX (Simulated Exercise / Command Post exercise) for a Private Bank, to Table Top Exercises for government organisations, emergency services and a number of fintech organisations.

We will plan your exercise to be different from the standard business continuity or crisis management scenarios. The exercise will involve strategic response, be challenging and have media interest. The scenario will be credible and tie-in with current real incidents.

Our Cyber Response Exercises involve:

  1. Strategic decisions, such as:

    • Whether to turn off systems if you suspect they have been compromised.

    • When you need to involve law enforcement.

    • When to engage with the media.

    • And how to respond to any ransom demands.

    • When and how to inform stakeholders

  2. How to communicate with a wide variety of stakeholders including:
    • Managing the response to the media.
    • When to tell stakeholders and customers that there has been a possible breach
    • Regulatory reporting in the jurisdictions the organisation operates in
    • Reporting to the ICO
    • Managing stakeholders across a number of time zones if applicable.
    • What guidance should be sent to stakeholders if personal data has been lost.
    • Managing speculation and rumour.
  3. Managing the interface between those responding technically and those managing the incident and communications.

Those taking part in PlanB Consulting exercises can practice their media and social response in real-time using our MITS Platform.

“The amount of time spent planning, preparing, communicating, rehearsing and exercising will have a direct bearing on your ability to survive, overcome and eventually benefit from cyber-attack. If little time is spent preparing and planning, the consequences will be severe and potentially long-lasting.”

Senior Security Leader of Top Ten Global Brand hit by high profile breach] Liaison with law enforcement and managing the forensic elements of


PlanB Consulting Cyber blog: What lessons can we learn from Marriott’s response to its Cyber Breach?

Our Service: Cyber Briefings for Senior Managers / C Suite

PlanB Consulting has carried out cyber briefings for a number of different organisations ensuring that their senior management understands the threat, their existing level of resilience and some of the issues they will face during a cyber incident.
These have varied from one hour to a half-day training session.

All sessions are tailored to the needs of the organisation and the particular topics they want to cover.  A typical agenda could include:

  1. The cyber incident landscape and review of recent incidents.
  2. Understanding the different types of cyber threats.
  3. Understanding your risk profile  - what do you have to lose?
  4. The role of the crisis management team / gold team / strategic team in managing an incident.
  5. Crisis communications during a cyber incident.
  6. Reporting the incident and GDPR requirements for data breach reporting.

Our Service: Cyber Incident Management and Response Training for Teams

PlanB Consulting carried out its first Cyber Incident Management and Response Training course back in May 2017. The audience was the Business Continuity Coordinators of a Local Authority. Since then, we have carried out regular cyber incident management training courses in both the public and private sector.

PlanB Consulting has also developed a two-day public training course 'Managing and Preparing for Cyber Incidents' which is marketed and delivered by sister company Business Continuity Training. Details of their course and the dates of the training are available here.

This training course is Certified by the NCSC (National Cyber Security Centre)

Our Cyber Incident Management and Response for Teams course is tailored to suit each client and can cover a wide variety of different subjects including:

  1. Cyber Incident landscape and recent case studies.
  2. Understanding the different types of cyber threats including targeted and untargeted attacks.
  3. Preparing for a possible attack.
  4. Developing an incident response.
  5. Decision making during incidents.
  6. Development of incident responses, including playbooks.
  7. Reporting cyber incidents and data breach reporting and GDPR.
  8. Cyber insurance and third party support.
  9. Detecting, containing and responding to an attack.
  10. Managing the response alongside 'techies' - what information they want from you.
  11. Development a crisis communications strategy.
  12. Developing and running cyber exercises.

Our Service: Responding to Cyber Incidents, Plan Writing and Developing Cyber Response Playbooks.

PlanB Consulting can help you develop the following:

  1. Cyber incident management playbooks for specific cyber incidents such as ransomware, data breach or DDOs attack.
  2. Help develop playbooks which can help executive decision making, where decisions are needed at short notice such as during a ransomware attack whether to disconnect all external internet connections.
  3. Response Plans for managing the executive level response to a cyber incident.
  4. Cyber crisis management plans
  5. Crisis Communications Plan including the preparation needed prior to a cyber incident.
  6. Developing a cyber risk assessment to understand your worst-case exposure if all organisation systems are compromised. 

You can read recent articles on the subject 'What is a playbook and do you need one?', here

PlanB Consulting's Model for Cyber Incident Response

The following diagram shows our model for incident response. Notice that only one quarter (red) is assigned to the technical response.

The four areas of response are:

  1. The IT Incident Technical Response covers the initial detection of the incident, triage and the first response to the incident. It includes containing the cyber security incident, eradicating the cause of the incident and gathering and preserving evidence. Finally, it covers recovering systems, data and connectivity and returning the system to normal operation.

  2. We believe that the success or failure of your incident response is determined by the attitude of your stakeholders and their opinion on how well you responded.

    This is why a key part of responding to a cyber incident is the Reputation and Stakeholder Management. This requires preparation carried out in advance, a robust incident management plan and playbooks for dealing with specific incidents.

  3. For data breach reporting, under GDPR there are now designated times at which an organisation must report a cyber breach to the Information Commissioner's Office (ICO). They no longer have the luxury of being able to do a thorough investigation, identify the data which has been compromised and determine a list of effected stakeholders.

    Different agencies and the police may also have to be involved. You must have a robust plan in place dealing your organisations for dealing with Statutory and Regulatory Reporting, including GDPR, and that the plan should be exercised and tested.

  4. Lastly, existing Business Continuity and Continuity of Operation's plans should also be used during a cyber breach. They should contain useful information on which system to restore first, which part of the organisation needs to be recovered first and how quickly. This can be found by looking at the organisation’s BIA and looking for each activity’s RTO, and their underpinning IT systems. The organisation should also have a manual workaround for an IT and telecoms failure, which can be used if external connections have been disconnected, or if staff have been told not to use their PC or laptops to access the organisation’s systems. 

Feedback from recent Cyber Training

Stuart Wadley Ports and Harbours - Rated Course: "Excellent" Comment: "Excellent Delivery, engaging and thought provoking"

Denise Bell HR - Rated Course: "Very good" Comment: "Liked the practical, no-nonsense approach"