Companies in today’s data-driven, interconnected business environment are surrounded by potential data breaches. Be it an intrusion from a hacker, a vendor breach or an employee inadvertently sending sensitive information to the wrong business partner, incidents come in a wide range of shapes and sizes. Most companies now have reviewed their incident response policies and procedures to ensure they have some sort of plan in place to guide the company in responding to such events; but that is not enough. It is critical for companies to test their plans so key personnel truly understand the roles they will play and the decisions they will have to make during an actual breach before the breach occurs. Indeed, without such testing, a company has little way to gauge whether the plan will be effective for the company in a real live incident.

Before testing begins, companies need to have a strong incident management process in place. One approach to such a process is a three-tiered structure in which companies have a technical response plan to handle the IT and evidentiary aspects of investigating security incidents (and incidents that only require a technical response), a business/legal response plan to address non-crisis security incidents that require legal involvement (often for “privacy” incidents that require notifications to individuals because of potential compromise of their personal information) and a cyber crisis management plan that sits above these plans and brings together an executivelevel team to handle incidents that could have a severe impact on the organization from a legal, financial or reputational perspective.