Having done several NIS 2 assessments in the last couple of months, ranging from governments in Belgium to organizations in the financial industry to international companies, one of the top three findings that always comes back is the lack of a documented Incident Response procedure.
Now, what is that?
Imagine your organization one day gets a cyber attack. Ransomware is installed, everything is encrypted, systems are down, sensitive documentation and information are stolen, and basically, the whole organization is shut down. We've seen this with hospitals and governments as well. What do you do? How do you respond? That’s your Incident Response plan or procedure.
Now, when I ask this question to clients, typically, they say, very honestly, "Well, Jetro, that's a great question. If this would happen, all hell would break loose, and we would panic." And that is the reality. So, what NIS 2 mandates is that we prepare for such an event and have our Incident Response plan documented.
What does that mean?
Document the roles and responsibilities:
Who is responsible for what?
Who is responsible for cloud systems and on-premise systems?
Who is the Data Protection Officer?
Who will communicate with the press or the outside world in case of such an incident?
All these roles and responsibilities need to be documented.
But also:
Which authorities will we contact or inform of such an event?
Who will do the contact and outreach to the government and the authorities?
What are the communication channels?
Panic mode
During a crisis, everybody is in panic mode. How do we communicate? Some organizations have all this information on SharePoint, but if SharePoint is unavailable, well, good luck finding out who to contact and when.
So, what I always recommend is to have a backup communication channel, such as a WhatsApp group, for emergency purposes only. That is all about documenting all the steps we need to take in case of a crisis or an incident.
Practice
The second thing is we need to practice. Just like with fire drills, where we physically sound the fire alarm, evacuate to the designated spot, and perform headcounts, we need to do the same in the cyber world. Cyber incidents must be drilled and simulated throughout the year.
Lessons learned
The third thing we have to do is a lesson-learned exercise. While doing these exercises, you will find some bottlenecks or things that didn’t go well. That's perfectly fine. We learn from them and use that knowledge to update documentation and procedures, drill again, and continue improving.
NIS 2 is not about achieving perfection. It is about increasing your cyber resilience through continuous improvement.
Conclusion
So three key takeaways:
Document your Incident Response procedure and have a backup communication channel.
Conduct exercises, drills, and simulations—practice, practice, practice.
Learn from mistakes, refine processes, and apply that knowledge to improve.
By following these steps, you will increase your organization's cyber resilience.
And with that said, I wish you a wonderful day and see you next time.
Jetro
I help European Organizations Strengthen Their Digital Security & Compliance
Outcome: Reduced Risk 🔸 Improved Cyber Resilience 🔸 More Peace of Mind
Share this post